Nuclear Regulation NEA/CSNI/R(2014)9 July 2014 www.oecd-nea.org
Probabilistic Safety Assessment (PSA) of Natural External Hazards Including Earthquakes
Workshop Proceedings Prague, Czech Republic 17-20 June 2013
Unclassified NEA/CSNI/R(2014)9
Organisation de Coopération et de Développement Économiques Organisation for Economic Co-operation and Development 02-Jul-2014 ______English text only NUCLEAR ENERGY AGENCY COMMITTEE ON THE SAFETY OF NUCLEAR INSTALLATIONS Unclassified NEA/CSNI/R(2014)9
PSA OF NATURAL EXTERNAL HAZARDS INCLUDING EARTHQUAKE Workshop proceedings
Prague, Czech Republic
June 17-20, 2013
This document only exists in PDF format
JT03360085
only text English Complete document available on OLIS in its original format This document and any map included herein are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area.
NEA/CSNI/R(2014)9
ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT
The OECD is a unique forum where the governments of 34 democracies work together to address the economic, social and environmental challenges of globalisation. The OECD is also at the forefront of efforts to understand and to help governments respond to new developments and concerns, such as corporate governance, the information economy and the challenges of an ageing population. The Organisation provides a setting where governments can compare policy experiences, seek answers to common problems, identify good practice and work to co-ordinate domestic and international policies. The OECD member countries are: Australia, Austria, Belgium, Canada, Chile, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Japan, Luxembourg, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, the Republic of Korea, the Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States. The European Commission takes part in the work of the OECD. OECD Publishing disseminates widely the results of the Organisation’s statistics gathering and research on economic, social and environmental issues, as well as the conventions, guidelines and standards agreed by its members.
This work is published on the responsibility of the OECD Secretary-General. The opinions expressed and arguments employed herein do not necessarily reflect the official views of the Organisation or of the governments of its member countries.
NUCLEAR ENERGY AGENCY
The OECD Nuclear Energy Agency (NEA) was established on 1 February 1958. Current NEA membership consists of 31 countries: Australia, Austria, Belgium, Canada, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Luxembourg, Mexico, the Netherlands, Norway, Poland, Portugal, the Republic of Korea, the Russian Federation, the Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States. The European Commission also takes part in the work of the Agency. The mission of the NEA is: – to assist its member countries in maintaining and further developing, through international co-operation, the scientific, technological and legal bases required for a safe, environmentally friendly and economical use of nuclear energy for peaceful purposes, as well as – to provide authoritative assessments and to forge common understandings on key issues, as input to government decisions on nuclear energy policy and to broader OECD policy analyses in areas such as energy and sustainable development. Specific areas of competence of the NEA include the safety and regulation of nuclear activities, radioactive waste management, radiological protection, nuclear science, economic and technical analyses of the nuclear fuel cycle, nuclear law and liability, and public information. The NEA Data Bank provides nuclear data and computer program services for participating countries. In these and related tasks, the NEA works in close collaboration with the International Atomic Energy Agency in Vienna, with which it has a Co-operation Agreement, as well as with other international organisations in the nuclear field.
This document and any map included herein are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Corrigenda to OECD publications may be found online at: www.oecd.org/publishing/corrigenda. © OECD 2013 You can copy, download or print OECD content for your own use, and you can include excerpts from OECD publications, databases and multimedia products in your own documents, presentations, blogs, websites and teaching materials, provided that suitable acknowledgment of the OECD as source and copyright owner is given. All requests for public or commercial use and translation rights should be submitted to [email protected]. Requests for permission to photocopy portions of this material for public or commercial use shall be addressed directly to the Copyright Clearance Center (CCC) at [email protected] or the Centre français d'exploitation du droit de copie (CFC) [email protected].
2 NEA/CSNI/R(2014)9
COMMITTEE ON THE SAFETY OF NUCLEAR INSTALLATIONS
Within the OECD framework, the NEA Committee on the Safety of Nuclear Installations (CSNI) is an international committee made of senior scientists and engineers, with broad responsibilities for safety technology and research programmes, as well as representatives from regulatory authorities. It was set up in 1973 to develop and co-ordinate the activities of the NEA concerning the technical aspects of the design, construction and operation of nuclear installations insofar as they affect the safety of such installations.
The committee’s purpose is to foster international co-operation in nuclear safety amongst the NEA member countries. The CSNI’s main tasks are to exchange technical information and to promote collaboration between research, development, engineering and regulatory organisations; to review operating experience and the state of knowledge on selected topics of nuclear safety technology and safety assessment; to initiate and conduct programmes to overcome discrepancies, develop improvements and research consensus on technical issues; and to promote the co-ordination of work that serves to maintain competence in nuclear safety matters, including the establishment of joint undertakings.
The clear priority of the committee is on the safety of nuclear installations and the design and construction of new reactors and installations. For advanced reactor designs the committee provides a forum for improving safety related knowledge and a vehicle for joint research.
In implementing its programme, the CSNI establishes co-operate mechanisms with the NEA’s Committee on Nuclear Regulatory Activities (CNRA) which is responsible for the programme of the Agency concerning the regulation, licensing and inspection of nuclear installations with regard to safety. It also co- operates with the other NEA’s Standing Committees as well as with key international organisations (e.g., the IAEA) on matters of common interest.
3 NEA/CSNI/R(2014)9
4 NEA/CSNI/R(2014)9
OECD/NEA COMMITTEE ON THE SAFETY OF NUCLEAR INSTALLATIONS (CSNI)
PSA OF NATURAL EXTERNAL HAZARDS INCLUDING EARTHQUAKE Workshop proceedings
Prague, Czech Republic June 17-20, 2013
5 NEA/CSNI/R(2014)9
6 NEA/CSNI/R(2014)9
Table of Contents
EXECUTIVE SUMMARY………………………………………………………………………………... 9 1. INTRODUCTION………………………………………………………………………………………. 12 1.1 Background………………………………………………………………………………………….. 12 1.2 Objectives of the Workshop………………………………………………………………………… 12 1.3 Organization of the Workshop………………………………………………………………………. 13 1.4 Topics of the Workshop……………………………………………………………………………... 13 2. RECENT WGRISK ACTIVITIES PRECEDING ORGANIZATION OF THE WORKSHOP………. 16 2.1 WGRISK workshop on seismic hazards PSA………………………………………………………. 16 2.2 WGRISK survey project on non-seismic external events…………………………………………... 17 2.3 WGRISK broad survey project on PSA use and development……………………………………... 18 2.4 WGRISK most recent activities related to the area of external events PSA……………………….. 19 3. SUMMARY OF THE WORKSHOP ON PSA OF NATURAL EXTERNAL HAZARDS…………... 22 3.1 Opening Session…………………………………………………………………………………….. 22 3.2 Session 1 – Analysis of natural external hazards potential…………………………………………. 24 3.3 Session 2 –Specific features of analysis and modeling of particular external hazards…………….. 26 3.4 Session 3 – Practices and research efforts on natural external events PSA………………………... 27 3.5 Session 4 – Modeling of NPP response to natural external events in PSA………………………… 28 3.6 Session 5 – Seismic risk analysis…………………………………………………………………… 29 3.7 Session 6 – Use of external events PSA with the focus on regulatory body role………………….. 31 3.8 Facilitated discussions……………………………………………………………………………… 33 4. CONCLUSIONS AND RECOMMENDATIONS MADE IN THE WORKSHOP…………………… 40 4.1 Status of EE-PSA including recent developments………………………………………………….. 40 4.2 Challenges in external analysis methods and organization…………………………………………. 42 4.3 General conclusions regarding future role of WGRISK……………………………………………. 43 5. REFERENCES………………………………………………………………………………………….. 45
APPENDICES 1. LIST OF PARTICIPANTS 2. WORKSHOP AGENDA 3. PAPERS/PRESENTATIONS
7 NEA/CSNI/R(2014)9
8 NEA/CSNI/R(2014)9
EXECUTIVE SUMMARY
The Fukushima Dai-ichi accident triggered discussions about the significance of external hazards and their treatment in safety analyses. In addition, stress tests results have shown vulnerabilities and potential of cliff-edge effects in plant responses to external hazards and have identified possibilities and priorities for improvements and safety measures' implementation at specific sites and designs.
In order to address these issues and provide relevant conclusions and recommendations to CSNI and CNRA, the CSNI Working Group on Risk Assessment (WGRISK) directed, in cooperation with the CSNI Working Group on Integrity and Ageing of Components and Structures (WGIAGE), a workshop entitled “International Workshop on PSA1 of Natural External Hazards Including Earthquakes”, hosted by UJV Rez, on June 17-19, 2013, in Prague, Czech Republic.
The key objectives of the workshop were to collect information from the OECD member states on methods and approaches being used, and experience gained in probabilistic safety assessment of natural external hazards, as well as to support the fulfillment of the CSNI task on “PSA of natural external hazards including earthquakes.” These objectives are described more in detail in the introduction in Chapter 1 of this report.
The workshop was built upon previous relevant WGRISK and WGIAGE activities, including a Specialists Meeting on Seismic Probabilistic Safety Assessment (SPSA) of Nuclear Facilities (2006, Jeju Island, Korea), Workshop on Recent Findings and Developments in Probabilistic Seismic Hazards Analysis (PSHA) Methodologies and Applications (2008, Lyon, France), a report on Probabilistic Safety Analysis (PSA) of Other External Events Than Earthquake (2009) and other activities and publications. The WGRISK activities preceding the workshop and leading to the decision to organize it are described in Chapter 2 of this report.
The focus of the workshop was on external events PSA for nuclear power plants, including all modes of operation. The workshop scope was generally limited to external, natural hazards, including those hazards where the distinction between natural and man-made hazards is not sharp (e.g., external floods caused by dam failures). The participation was open to experts from regulatory authorities and their technical support organizations, research organizations, utilities, nuclear power plant (NPP) designers and vendors, industry associations and observers from OECD NEA member countries. The detailed information about the presentations, discussions, and results of the workshop is presented in Chapter 3 of this report.
Some general conclusions were agreed on during the workshop, which are presented in the following paragraphs.
The lessons learned from the Fukushima Dai-ichi reactor accidents and related actions at the national, regional, and global level have emphasized the importance to assess risks associated
1 In this report, the terms Probabilistic Safety Analysis (PSA) and Probabilistic Risk Analysis (PRA) are used interchangeably.
9 NEA/CSNI/R(2014)9
with external hazards, including combinations of those hazards, and their impacts. It is important that such an analysis covers not only individual plant units, but also the site as a whole, including all dependent effects and impacts.
While systematic approaches for addressing external hazards in PSA currently exist and there is a well-developed state-of-practice (e.g., with respect to external flooding, seismic, high winds), additional work is needed; for example, the use of conservative approaches to address uncertainties might be practical, but more realistic evaluations provide better view on the real problems.
Some methods and guides are available for seismic hazard determination, identification of external hazards, screening2 of external events for detailed consequence analysis, including several lists of screening criteria. However, additional development is also needed in area of consensus standards and guides; for example IAEA continues developing the methodological support for external hazards analysis.
The major areas of concern in external hazards studies are:
1. Scope of the PSA for external events in terms of plant operation regimes (e.g., full power, low power and shutdown operational states),
2. Combinations of external hazards impacts,
3. Multi-unit impacts, and
4. Screening procedure for site specific hazards.
The following are significance technical/methodological challenges for external hazard PSA:
1) Fragility analysis of non-seismic external hazards,
2) Correlation effects and consequent damage scenarios,
3) Human Reliability Analysis (HRA) for external events PSA,
4) PSA mission times for long-term external event scenarios, and
5) Significance and magnitude of the effects of climate changes on the hazard frequencies and magnitudes.
The following aspects are considered to be important good practice attributes for external hazard modeling in PRA:
1) Critically challenging assumptions,
2) Calibrating models,
2 In this context, the term screening refers to a systematic process that distinguishes items that should be included or excluded from an analysis based on defined criteria.
10 NEA/CSNI/R(2014)9
3) Accounting for underlying physical processes,
4) Fully treating dependencies,
5) Involving multidisciplinary teams, and
6) Promptly and broadly disseminating information.
Recognizing the impetus for action provided by actual operational events (including the Fort Calhoun flooding3 as well as the Fukushima Dai-ichi reactor accidents), it has been noted that WGRISK can provide stronger (and better-focused) cases for action by increasing its use of operating experience feedback. Among other things, this could imply strengthening ties with associated international working groups, particularly the NEA/Committee of Nuclear Regulatory Authorities (CNRA) Working Group on Operating Experience (WGOE).
An additional action for WGRISK suggested by our review concerns the tracking of past recommendations. It appears that increased efforts by the WGRISK leadership to systematically track and dispose report recommendations would help ensure that each task performed by the group more strongly supports the group’s overall objectives, and would help WGRISK improve its strategic planning processes.
Detailed information about the conclusions made during the workshop is presented in Chapter 4 of this report.
3 See U.S. Nuclear Regulatory Commission Event Notification Number 46929, dated June 6, 2011 for additional information (http://www.nrc.gov/reading-rm/doc-collections/event-status/event/2011/20110606en.html#en46929 )
11 NEA/CSNI/R(2014)9
1. Introduction
1.1 Background
External hazards (both natural and man-made ones) have been addressed in many past PSAs. Nevertheless, the Fukushima Dai-ichi reactor accidents have raised many questions, including the probabilistic treatment also of combined causal or consequential hazards, the treatment of plant response (including the possibility of multi-unit effects, of extended duration scenarios, and of post-core damage complications affecting accident management), and the identification and assessment of effective mitigation strategies and accident management measures. Moreover, there are large variations across member countries regarding requirements and practices.
In order to address these issues and provide relevant conclusions and recommendations to CSNI and CNRA, the CSNI Working Group on Risk Assessment (WGRISK) directed, in cooperation with the CSNI Working Group on Integrity and Ageing of Components and Structures (WGIAGE), a workshop entitled “International Workshop on PSA of Natural External Hazards including Earthquakes”, hosted by UJV Rez, on 17-19 June 2013, in Prague, Czech Republic.
The workshop focusing on natural external hazards facilitated the discussion of these issues and the identification/promotion of good practices. In doing so, it supported the treatment of specific concerns raised in:
A recent CNRA Senior Task Group on the impact of the Fukushima Dai-ichi reactor accidents regarding risk assessment of external initiating events, technical approaches for assessing external hazards other than earthquake, such as tsunami, tornados, floods, etc., and
NEA documents in terms of initiating event assessment, identification of cliff-edge effects, assessment of accident management approaches, etc.
The workshop was built upon previous, relevant WGRISK and WGIAGE activities, including a Specialists Meeting on Seismic Probabilistic Safety Assessment (SPSA) of Nuclear Facilities (2006, Jeju Island, Korea), Workshop on Recent Findings and Developments in Probabilistic Seismic Hazards Analysis (PSHA) Methodologies and Applications (2008, Lyon, France), and a report on Probabilistic Safety Analysis (PSA) of Other External Events Than Earthquake (2009) [1], [2], [3]. The workshop was also coordinated with relevant international workshops and conferences, notably the Probabilistic Safety Assessment and Management (PSAM) Topical Conference held on April 15-17, 2013 in Tokyo, with a focus on the Fukushima event, as well as with relevant IAEA activities (e.g., the recent initiative to expand the current TECDOC on PSA quality to include internal and external hazards). It was expected that the workshop output would be also useful to the CNRA Working Group on Regulation of New Reactors as it develops a report on siting for new reactors. The results of the workshop are also likely to be useful to the recently established CSNI Task Group on Natural External Events (TGNEV).
1.2 Objectives of the Workshop
As stated in the CSNI Activity Proposal Sheet (CAPS) WGRISK (2012)-1, “Workshop on PSA of Natural External Hazards Including Earthquakes”,” the key objectives of the workshop were to collect information from the OECD member states on methods and approaches being used and experience gained in probabilistic safety assessment (PSA) of natural external hazards.
12 NEA/CSNI/R(2014)9
The main objectives of the CSNI task have been defined as follows:
to share methods, good practices and experiences among member states on PSA analysis for natural external hazards,
to support assessment of current state of probabilistic analyses of natural external hazards,
to support re-evaluation of PSAs for natural external hazards, in particular as a tool to address the lessons to be learned from the Fukushima Dai-ichi reactor accidents,
to evaluate use of PSA in identification/justification of appropriate mitigation and accident management measures in the frame of post stress test implementation programmes,
to identify new potential topics for further WGRISK and WGIAGE activities in this area.
The information obtained as a result of the workshop should give better understanding and interpretations of subjects, topics and issues connected with external hazards analysis. This report comprising comments on good practices and experiences in member states, including lessons learned from the experience of the Fukushima Dai-ichi reactor accidents, was prepared based on information presented and discussed during the workshop.
1.3 Organization of the Workshop
The focus of the workshop was on external events PSA for nuclear power plants (NPP), including all modes of operation. The workshop scope was generally limited to external, natural hazards, including those ones, where the distinction between natural and man-made hazards is not sharp (e.g., external floods caused by dam failures); see also the List of External Hazards in ANSI/ANS-58.21-2003 [4]. Fires (including external fires) were not included in workshop scope, because Fire PSA was the subject of a separate planned WGRISK workshop1.
The main part of the workshop (June 17-19, 2013) included an opening session, technical sessions devoted to technical presentations made by the participants on the topics outlined below, facilitated discussion sessions, and a concluding session. All of the workshop participants were welcomed to take part in the discussions and to formulate conclusions and recommendations. On Thursday June 20, 2014, a specific writing session restricted to the session chairs/co-chairs was organized with the goal to prepare an initial draft of this report, which would summarize the important ideas declared during the workshop and would provide a list of conclusions and recommendations for identifying possible further actions of WGRISK and WGIAGE.
1.4 Topics of the Workshop
The workshop scope included the following topics:
Analysis of natural external hazards potential
o Process of identification, screening and grouping of external events,
1 Under CAPS WGRISK (2012)-2, “Workshop on FIRE PRA in Member Countries,” a workshop is to be held in April 2014 in Garching, Germany on the state-of-the-art methods for quantitative fire risk assessment of NPPs and associated applications
13 NEA/CSNI/R(2014)9
o Estimation of potential for external event occurrence, including specific features of estimating the frequency of low probability events related to meteorological hazards of very high intensity (extrapolations from available data),
o Potential of consequential events/hazards,
o Potential of the occurrence of events caused by combined external hazards or by combinations of external and internal hazards,
o Treatment of uncertainties in hazard assessment,
o Data on natural hazards;
Analysis and modeling of NPP response to natural external events – general common features
o Analysis and modeling of plant response to external hazards (including fragilities of systems, structures, and components (SSC)),
o Treatment of multiunit effects of external hazards (including effects on onsite spent fuel and waste storage facilities),
o Analysis of local and broad effects of external hazards, including long-term loss of the electrical grid and the final heat sink,
o Addressing specific features of plant operation regimes in analysis and modeling (including low power and shut down operations),
o Evaluation of the effectiveness of measures to be taken in anticipation of gradually developing external hazards,
o Human factors in plant response to external events (including effects of multiple units and events combinations),
o Approaches to extended duration scenarios involving external events, (including events involving a stabilized but damaged plant),
o Modeling of plant response to the events caused by combined external hazards,
o Level 2 PSA aspects of external hazards risk analysis including evaluation of accident management measures in case of external events,
o Treatment of uncertainties and sensitivity analysis in PSA for external hazards,
Specific features of analysis and modeling of particular natural external hazards
o Specific features of seismic risk analysis (floor spectra, spatial interactions, associated hazards as seismically induced internal/external floods, fires, etc.),
o Specific features of flooding risk analysis (floods caused by dam failures, analysis of combined flooding loads - e.g., storm surge plus precipitation induced flooding, etc.),
14 NEA/CSNI/R(2014)9
o Modeling and quantification of risk related to specific meteorological external hazards (extreme winds/tornadoes and wind-driven missiles, extremely high/low temperature, extreme precipitation/snow, low water level, draught, lighting, sand storm, etc.),
o Modeling and quantification of risk related to other external hazards (electromagnetic inference, biological events, etc.),
Use of external events PSA in risk-informed decision making
o Applications of external events PSA methods and models in regulatory oversight,
o Use of external events PSA in risk-informed safety management by the licensees and other non-regulatory applications of external events PSA,
o Treatment of external events PSA uncertainties in risk-informed decision making,
Fukushima Dai-ichi reactor accidents – lessons learned and measures (to be) taken
o Re-assessment of external hazards risk in view of Fukushima accident,
o How external events PSA is being used in the implementation process of appropriate safety measures following the Stress Tests or other NPP re-assessments,
o New standards development (an example - Tsunami PRA Standard development by the Atomic Energy Society of Japan).
The participation was open to experts from regulatory authorities and their technical support organizations, research organizations, utilities, NPP designers and vendors, industry associations and observers.
15 NEA/CSNI/R(2014)9
2. Recent WGRISK Activities Preceding Organization of the Workshop
Prior to the Fukushima Dai-ichi reactor accidents in March 2011, WGRISK had sponsored or co-sponsored a number of PSA related activities. These activities also included several projects and workshops, which were completely or partially devoted to external events risk:
A 2006 workshop on seismic hazards and PSA (co-sponsored with the CSNI Working Group on Integrity of Components and Structures – WGIAGE) [1],
a 2008 survey project addressing the treatment of non-seismic external events in PSA [3],
a periodic survey of member country uses of PSA (last updated in 2012 based on information collected in 2010) [5].
During its 2006 Annual Meeting, WGRISK held an organized technical discussion on the PSA treatment of non-seismic external events. This discussion resulted from the need to review external hazards PSAs for both existing and new reactors. Other motivating factors were the potential implications of recent natural catastrophes, not only for nuclear energy, but across technologies and ongoing discussions concerning climate change. As a result of this technical discussion, WGRISK, with CSNI approval, initiated several projects during the next years, in which the issue of external hazards/events risk played a major or at least significant role.
The description of the most important WGRISK activities in the following paragraphs is based on the information presented in the paper [6].
2.1 WGRISK Workshop on Seismic Hazards PSA
On November 6-8, 2006, WGRISK and WGIAGE held a jointly organized specialist meeting on Seismic PSA for nuclear facilities. The meeting, which was held in Jeju, Korea, was co-sponsored by the OECD/NEA, the IAEA, the Korean Atomic Energy Research Institute (KAERI), and the Korea Institute of Nuclear Safety (KINS). For WGRISK, this meeting represented the latest in a series of activities on seismic PSA, including the development of a state of the art report in 1998 [7], a workshop held in Tokyo in 1999 [8], and the writing of a technical opinion paper in 2002 [9].
The main objectives of the meeting were to review recent advances in the methodology of seismic PSA, to discuss practical applications, to review the current state of the art, and to identify methodological issues where further research would be beneficial in enhancing the usefulness of the methodology. The meeting also included discussions of the Seismic Margin Assessment (SMA) methodology. The topics covered by the meeting included the regulatory framework for and objectives of seismic PSA (and SMA), lessons learned from such studies, and seismic PSA methodological issues. The meeting also included extended discussions on seismic hazard and fragility analyses.
The participants in the meeting agreed that seismic PSA was in widespread use by plant designers, operators and regulators, that applications were increasing (as compared to the situation in 1999), and that seismic PSA may contribute to understanding of seismic risk, understanding of the significance of design shortfalls, prioritizing improvements, evaluating and improving regulations, and modifying plant design bases.
Methodological weaknesses of current seismic PSA were identified during meeting in Jeju in three important areas:
16 NEA/CSNI/R(2014)9
Probabilistic seismic hazard analysis – PSHA (with emphasis on the analysis of areas with low- to-moderate seismicity),
Human reliability analysis (HRA) in seismic PSA (including both physical effects, e.g., equipment damage, loss of local and site access, consequential fires, multiple unit impacts; and mental effects, e.g., conflicting organizational goals, staff concerns with family impacts, etc.),
Correlations between the fragilities of systems, structures, and components treated in seismic PSA (notably the difficulties in assessing such correlations).
According to the recommendations of the Jeju Workshop, WGIAGE organized a workshop on Recent Findings and Developments in Probabilistic Seismic Hazards Analysis (PSHA) Methodologies and Applications in Lyon, France in 2008 [2]
The key technical issues regarding the treatment of low likelihood/high consequence natural events and of operator actions, illustrated later by the Fukushima Dai-ichi reactor accidents and post-accident investigations, were identified as challenges already in this meeting. Two papers regarding multi-unit seismic PSA [10], [11] provided demonstrations of practical approaches focused on propagating the correlation of seismic hazards and fragilities leading to the conclusion that upcoming analyses would need to extend the presented approaches to address modeling concerns illustrated later by the Fukushima Dai- ichi reactor accidents, including direct interactions between units and human related interactions. The meeting also included a paper on the treatment of seismic aftershocks [12], similarly to the case of the multi-unit analyses representing an advance on a difficult topic.
The meeting did not make significant mention of seismically induced tsunami, but this topic, which was identified as important at a 2005 workshop on external flooding hazards organized by the IAEA (see [13]) remained of interest for the next WGRISK activities. On the other hand, although the meeting papers made little mention of HRA for seismic PSA, important HRA challenges were discussed during the meeting and became a key element for future development.
2.2 WGRISK Survey Project on Non-seismic External Events
The objective of the project, which is described in detail in the final report [3], was to review the methods for risk analysis of off-site external events other than earthquake as well as the results and the insights developed in these analyses in order to present a basis for advances in the area. The project scope was limited to non-seismic external events to avoid overlap with the WGRISK activity on seismic PSA discussed in the previous chapter. It did, however, include seismically generated tsunamis. As typical for WGRISK activities, the work involved the development and issuance of a questionnaire for WGRISK members and a number of meetings of principal task participants.
The questionnaire included 17 questions (two questions added later) addressing such matters as regulatory requirements, the scope of analyses, analysis methods, and results. Responses were received from 12 countries: Belgium, Canada, Chinese Taipei, Finland, France, Germany, Japan, Korea, Mexico, the Slovak Republic, Switzerland, and the United States. The final report was prepared for CSNI approval in March 2009.
Based on the questionnaire responses and subsequent discussions, the project participants concluded that external events were playing an increasing role in PSA and that there was a general trend in regulatory requirements towards consideration of all hazard categories (internal and external). Detailed analyses for some plants have shown that the contribution from non-seismic external events can be significant. The
17 NEA/CSNI/R(2014)9
frequency and intensity of extreme weather events, and consequently their risk significance, may be affected by natural climate variability and by human-induced global warming.
The main general report’s recommendations were to follow research on climate change and its effects (including potential effects on nuclear power plants, such as those being studied by IAEA), to re-evaluate the situation on external events PSA in a few years and to encourage analysis of operational events caused by external hazards.
With respect to the methods and practice of PSA, the report identified and discussed most of the PSA- related technical issues later highlighted by the Fukushima Dai-ichi reactor accidents, including:
the potential hazard posed by tsunamis (and, in particular, seismically-induced tsunamis),
the combined treatment of external hazards associated with a single event,
the estimation of the frequency-magnitude relationship for extreme phenomena, including associated uncertainties,
the treatment of dependent failures caused or influenced by an external event,
the effects of external hazards on plant operators,
multi-unit effects and,
modelling very long duration scenarios.
As can be seen from the detailed information about the Prague workshop, which is the main issue of this report, most of the early identified topics became an important issue of the discussions in Prague.
2.3 WGRISK Task on PSA Use and Development
The results of information exchange during the WGRISK annual meetings, complemented by a detailed questionnaire, have been compiled in a CSNI report entitled “The Use and Development of Probabilistic Safety Assessment” first issued in 2002 [14], then updated in 2007 [15] and in 2012 [4]. The task was carried out in cooperation with the IAEA thus providing better overview on PSA worldwide. The area of external events was also covered by the report to some extent – both in the common part (general conclusions) and in the quoted contributions of the individual participants in the effort.
For the most recent edition, detailed responses were prepared by about 20 countries on the following important PSA aspects: PSA framework and environment, numerical safety criteria, PSA standards and guidance, status and scope of PSA programs, PSA methodology and data, PSA applications, results and insights from PSA, future development and research (most of them also including the case of external events analysis). The compilation provides reference information to both PSA practitioners and others involved in the nuclear industry. Appendix A of this unique compilation characterizes the scope and use of PSA performed for each plant in most of the WGRISK member countries (including the extent to which specific PSA developed for operating NPPs address the external hazards).
It should be noted that the contents of this report were generated either prior to the March, 2011 accidents at the Fukushima Dai-ichi nuclear power station or as the accidents were unfolding (and related information was still developing). Although some important details about the accidents are still unknown,
18 NEA/CSNI/R(2014)9
it is clear that lessons from the accidents raise challenges to the use and development of PSA in WGRISK member countries.
Several insights were drawn from the updated report, particularly oriented to the extensions of the scope of the PSAs performed in the member countries (including the area of external hazards). It appears that many countries are heading towards a ”Living PSA” including both Level 1 and Level 2, for both full power and shutdown plant operational states, and both internal and external hazards and events.
The following general remarks noted in the report can be seen as important for characterization of situation in PSA development and applications worldwide (with specific focus on external events):
All the PSA developments and applications already described in the previous versions of the report are still valid and regularly improving/increasing. This applies to the importance of the PSA framework, the number of studies carried out, the PSA scope (including assessment of external hazards), the number of applications (for design and operation safety improvements), and the volume of ongoing research. It can be noted that although PSA methods and applications have made real progress during these last years a significant level of development is still in progress.
The development of new and advanced designs has led to a more rapid development in particular fields. Examples include the definition of a more formal framework, more precise safety goals, efforts relating to the importance of external hazards and to new specific problems like reliability of digital systems and reliability of passive systems. A tendency towards harmonization (in goals and approaches) clearly appears (significantly supported by IAEA effort).
WGRISK was expected to use the results of this report, as moderated by Fukushima response activities, to monitor the conduct of its ongoing activities, and to promote and implement new international collaborative efforts within the framework of the CSNI.
The survey report and its predecessors routinely discuss key topic areas highlighted by real accidents. For example, it provides an overview of research and development activities conducted by the members and other participating countries in such relevant areas as external hazards analysis (also mentioning ongoing, pre-2011 work regarding probabilistic tsunami hazard assessment), HRA, Level 2 PSA, and Level 3 PSA. Although details are not provided, the descriptions are sufficient to indicate areas of emphasis or lack thereof. For example, the descriptions appear to indicate that particular combinations of topics (e.g., HRA for particular external events) had not been emphasized by national programs up to new.
The aim of the PSA use and development report was to give an overview of the existing situation. However this overview with real examples is useful for encouraging further scope extension, especially for new plants. For future updates of the report, WGRISK is planning to identify what would be the impact of the Fukushima accident on PSA use and development in member countries, in order to share and to support the most interesting practices. Particular attention would be given to post-Fukushima plant safety modifications (many of them addressing external events scenarios) underlined by PSA results.
2.4 WGRISK Most Recent Activities Related to External events PSA
In consideration of insights and lessons learned from the Fukushima Dai-ichi reactor accidents and subsequent national stress tests, WGRISK has performed a number of tasks. One of them was the preparation of the workshop on “PSA of Natural External Hazards Including Earthquakes”, which is the main topic of this report. The objectives of this workshop were defined based on concise discussions regarding the significance of external hazards and their treatment in safety analyses. Additional
19 NEA/CSNI/R(2014)9
background has been provided by the stress tests results, which have shown vulnerabilities and the existence of cliff-edge effects in plant responses to external hazards and have identified the potential and priorities for improvements and safety measures for specific sites and designs.
It was discussed and decided that the workshop would focus on natural hazards and would facilitate the discussion of these issues and the identification and promotion of good practices. The main objectives of the workshop were proposed as:
to support assessment of current state of probabilistic analyses of natural external hazards and combinations of these with other hazards and initiating events,
to support re-evaluation of PSAs for natural external hazards, in particular as a tool to address the lessons to be learned from Fukushima accident,
to evaluate use of PSA in identification or justification of appropriate mitigation and accident management measures in the frame of post stress tests implementation programmes, and
to share methods and good practices and experiences among member states on PSA analysis for natural external hazards, in particular on accident mitigation measures.
The June 2013 Prague workshop on external hazards did not address Fire PSA as this is a topic of a parallel WGRISK activity. An international workshop on Fire PSA in Member Countries will be held in April 2014 and hosted by GRS in Garching, Germany, as a follow-up of a former WGRISK activity. This workshop will be the latest in a series of WGRISK activities on that topic, including a state-of-the-art report developed in 2000 [16] as a result of the first WGRISK workshop on fire risk [17], and a Technical Opinion Paper on the subject [18].
The first fire workshop [17] clearly demonstrated the need for continually improving methods and data for fire risk assessment. A follow-up workshop, carried out again as a WGRISK task in 2005, provided insights on the developments and the progress reached at that time. However it also demonstrated that there were still challenges in predicting fire risk, and this resulted in several fire related activities the Nuclear Energy Agency (NEA). The reactor accidents at Fukushima Dai-ichi and the consequential stress tests have increased the already strong level of attention on dependent hazards (including fire), and have strengthened discussions on addressing event combinations (e.g., seismically -induced fires) in safety analyses including PSA. In this way, the area of external hazards was strongly cross-connected with fire risk analysis issues.
Main objective of the newly planned workshop on Fire PRA is to develop recommendations regarding a potential future update of the state-of-the-art report on fire risk analysis including further development of methods for fire risk analysis, collection of operating experience and processing of data to be used in Fire PRA applications. This covers in particular supporting probabilistic assessment of fire events during all plant operational states from start of operation up to the longer lasting post-commercial operating phases and re-evaluation of fire PSA, e.g. as a tool to address the lessons learned from the post-Fukushima investigations and stress tests with respect to fire hazards and, particularly, their combinations with other external hazards.
Finally, it should be pointed out that WGRISK will be starting another external hazards related activity on PSA insights relating to the loss of electrical sources. The motivation for this activity is provided, in part, by post-Fukushima discussions on defense-in-depth and the importance of ensuring the robustness of safety functions (especially electrical sources and heat sink). WGRISK considers that PSA is an excellent tool for providing insights related to the potential consequences (e.g., core damage, large releases) of the loss of a function, and relating the defenses aiming to avoid these consequences with a quantitative
20 NEA/CSNI/R(2014)9
appreciation of their importance. The use of (external events) PSA results could provide a useful measure of defense-in-depth in case of loss of a safety function. The new WGRISK activity will survey member countries and other participating organizations on specific aspects of this topic.
The main PSA issues identified within recent WGRISK efforts have been strongly connected with the external events issues. These issues have included:
the hazards and likelihoods of extreme natural phenomena (including seismically induced tsunamis),
the combined treatment of all external hazards associated with an external event,
the treatment of dependent failures caused or influenced by an external event,
the effect of external hazards on plant operators and severe accident mitigation,
multi-unit effects.
Moreover, in the CSNI framework, WGRISK could provide a contribution to the newly created Task Group on Natural External Events for including a risk aspect.
21 NEA/CSNI/R(2014)9
3. Summary of the Workshop on PSA of Natural External Hazards
The workshop included an opening session, six sessions with participant presentations followed by short discussion, and two facilitated discussion sessions. The contributions presented were devoted to new methodological developments, projects with external hazards analysis activities, interesting aspects of external hazards analysis and expected challenges for future analyses.
3.1 Opening Session
The opening session consisted of three presentations:
N. Siu (NRC, USA): Overview Notes: Workshop on Probabilistic Flood Hazard Assessment (PFHA) and PSAM Topical Conference in Light of the Fukushima Dai-ichi Accident,
K. Hibino (IAEA): Safety Assessment of Multi-unit NPP Sites Subject to External Events,
J. Misak (UJV Rez, Czech Republic): Lessons learned from the EU Stress Test Evaluations with Regard to External Hazards.
The aim of the first presentation was to present objectives and main observations from two recent important events:
a multi-agency PFHA workshop, which was organized by the NRC in Rockville, MD, USA on 29-31 January 2013 with the aim to share information on extreme flood assessments and PSA, and to discuss ways to develop PFHA for PSAs; this workshop highlighted commonalities between the PFHA and PSA communities, the complementarity between deterministic and probabilistic approaches, the need for multi-disciplinary teams, and the need for imagination when performing PFHA; and
the PSAM Topical Conference held in Tokyo, Japan, on April 15-17, 2013 and dedicated to sharing lessons and on-going activities relevant to the Fukushima Dai-ichi reactor accidents; in particular the lessons for safety professionals and risk-informed decision makers (e.g., the need to challenge assumptions and to listen to experts and interact with international community).
One notable observation was the recurring nature of some of these issues as many relevant conclusions had been made following previous operating events (e.g., after the Blayais flooding event in 1999) [19]. For example, the Blayais event highlighted the possibility that a common mode of degradation of the safety level could simultaneously impact all the units at a site, weaknesses in the site protection against external flooding and the need to manage the release of water collected in the flooded facilities. This underscores the need to fully consider the lessons learned from operating experience.
The general objective of the second presentation was to discuss the need to develop, within the IAEA’s extrabudgetary effort, detailed guidance, methods and tools for assessing multi-unit site safety against multiple external hazards, in particular to establish a framework for conducting a PSA of external hazards affecting a multi-unit site. It was pointed out that the following known technical issues are not supported by the existing guides:
identification of initiating events (IEs) that impact more than one unit,
modelling of plant response to external events, in general,
22 NEA/CSNI/R(2014)9
treatment of common cause failure (CCF),
treatment of HRA,
treatment of fragility correlation for single and multiple hazards,
definition of risk metrics.
A flow chart for overall approach was presented, starting from selection of PRA and risk metrics up to combination of event sequence frequencies and consequences into Level 3 risk metrics. During the discussion, the importance of coordination of research and application effort was addressed (including coordination of activities with IAEA).
The last presentation was oriented to critical review of the lessons learned from the European Union (EU) Stress Test focusing on NPP robustness against external hazards. These lessons addressed:
organization of the stress tests,
scope and objectives of the stress tests,
peer review findings, recommendations and implications on the design in the area of external hazards,
further studies recommended in the area of external hazards and PSA,
relevant research areas identified by the SNETP Task Group in response to Fukushima accident.
Some important conclusions were made in the final part of the presentation:
Vulnerability to the Fukushima Dai-ichi reactor accidents caused by external hazards and including their secondary effects was underestimated,
Lessons learned from Fukushima Dai-ichi reactor accidents, from the EU Stress Test and from peer reviews are to be reflected in safety improvements of operating plants and considered in new designs,
while no completely new phenomena were revealed from the Fukushima Dai-ichi reactor accidents, improvements in specific research areas (including external hazards and use of PSA) should be considered with high priority,
These three presentations showed that efforts had been devoted to address at national and at international levels the lessons from Fukushima Dai-ichi accident, in particular in the area of external hazard PSA. While these efforts are noteworthy, they have demonstrated the technical and resource challenges associated with this area. Therefore, continued coordination at the international level is recommended to coordinate these efforts in order to optimize resources and technically address the topic of “External Hazard PSA” taking into account lessons learned from the Fukushima accident and subsequent complementary safety assessment.
23 NEA/CSNI/R(2014)9
3.2 Session 1 - Analysis of Natural External Hazards Potential
Four papers were presented in Session 1. Two papers focused on the identification and screening of relevant hazards and their combinations, One of them (J. Helander, Fennovoima) treated a new site while the other one (H. Kollasko, AREVA) was more general. These papers had similarities in the approach described. One paper treated seismic hazard assessment for NPP sites (L. Pecinka, UJV Rez) and one paper described a mathematical method for estimating the probabilities of a combination of correlated external hazards (L. Burgazzi, ENEA).
The first paper was presented by L. Burgazzi, ENEA, Italian National Agency for New Technologies, Energy and Sustainable Economic Development, and the topic of it was “Implementation of PSA models to estimate the probabilities associated with external event combination”. In the light of the Fukushima accident, correlated hazards are of special interest in PSA for external hazards. A mathematical method for modeling correlations was proposed in the presentation and an illustrative example was presented. The method is based on joint probability distributions and covariance matrices.
The second paper was presented by J. Helander, Fennovoima Oy, Finland with the topic “External hazard identification, screening and studies for a new plant site”. The process of screening external hazards for a new NPP site in northern Finland was described. The paper presented a list of Finnish and international guides and standards useful in evaluating external hazards, including, among others, Finnish regulatory YVL Guides, IAEA Safety Guides, and ASME standards. In addition, a methodology was presented how to identify and screen in/out site-specific hazards in new nuclear power plant project. Applying the screening criteria to a list of about 60 external hazards resulted in list of 12 relevant events for the Hanhikivi site requiring further studies.
The third paper was presented by H. Kollasko, AREVA and the topic of it was “Probabilistic Analysis of External Events with Focus on the Fukushima Event”. The external event screening analysis was described in the paper as a method to evaluate the design against external hazards and especially beyond design external hazards. As a result of the screening analysis, those external hazards are identified, which need to be analyzed in detail as a Design Extension Hazards (DEH) either in the probabilistic safety analysis or by margin assessments to demonstrate robustness of the design.
The effects of single and combined external events need to be analyzed. In light of the Fukushima Dai-ichi reactor accidents, the focus has shifted to the identification of relevant combinations of external hazards for which the effect of the combination of events is more severe than a simple summation of the events taken individually due to additional correlated effects. However, identification of these event combinations can be hindered if certain external hazards are screened out early in the assessment process. Furthermore, when external hazards are screened out individually, these hazards are often omitted during data collection. From the perspective of identification of potential relevant event combinations, this lack of data may constitute a drawback as vital information may not be available. It is therefore important to ensure that the full spectrum of hazards is included in the process of analysis of combinations. However, it was noted that some guidelines do not allow screening of certain hazards, especially earthquakes, as these hazards are applicable to nearly all sites and they are subject to specific regulations.
To cover an important case of a transient induced by combined hazards, the correlation mechanisms with the potential to induce hazards to the plant and effects on safety functions need to be investigated in detail. Because these types of accident sequences are often associated with a combination of low frequency external events, the screening process should consider the potential for inducing a large early release. Therefore, screening should be based on LERF (large early release frequency) and not on CDF (core damage frequency).
24 NEA/CSNI/R(2014)9
The effects of beyond design external events may aggravate the performance of possible accident management actions to cope with hazard induced unavailability of safety systems. Such actions are:
actions to refill water storages and fuel oil storages for beyond design mission times,
actions to start back-up systems,
actions to recover failed/damaged components.
In addition the Fukushima Dai-ichi reactor accidents have shown that the analysis of beyond design external hazards must take into account severe damage on the plant infrastructure and the public infrastructure for the analysis. Offsite support, e.g. delivery of diesel fuel oil or make-up water, which is usually credited in safety analyses as available, may not be possible at all, or at least much more difficult to be managed.
As discussed by the author, a systematic approach to external events screening provides a means for early demonstration of plant robustness regarding external hazards and combinations of them. Site specific information e.g., data on strength and frequency of beyond design external events, is an important basic input to the external events screening analysis. This input is needed as early as possible for new projects in order to have any potential site specific issue taken into account in the early phase of the project and reflected in plant design. The experience from the ongoing projects has shown that it is not always possible to receive this information in adequate level of detail. As a consequence, the external hazards screening often involves engineering judgment. Caution has to be paid that the assumptions applied are properly documented to allow later check or revision, e.g., in the frame of periodic safety reviews.
The last paper was presented by L. Pecinka, UJV Rez, a.s. and the following topic was addressed “Seismic Hazard Assessment for NPPs in Czech Republic”. The Czech Republic is a country with a very low seismicity. For the evaluation of seismic hazards of two operating NPPs with VVER type reactors, the IAEA Safety Guide 50-SG-S1 “Earthquakes and associated topics in relation to nuclear power plant siting” [20] had been used and the peak ground acceleration value has been established as 0.1 g. However, a higher level of seismic safety for nuclear power plants is now required after the Fukushima event, which is reflected in the IAEA Safety Guide SSG-9 [21]. Safety Guide SSG-9 represents the collective knowledge gained from recent significant earthquakes and includes new methods for probabilistic seismic hazard analysis and strong motion simulation. This safety guide will be applied to new two units planned to be built on the Temelin site.
The following observations can be made on the basis of the presentations in Session 1, although generally applicable conclusions cannot be based just on four papers for such a wide topic:
Methods and guides are available for
seismic hazard determination,
identification of external hazards
• list of potential hazards,
screening of external hazards for detailed PSA
• lists of screening criteria,
25 NEA/CSNI/R(2014)9
mathematical treatment of probabilities of correlated hazards.
Identification of correlations between external hazards is important.
Useful hazard estimates can be determined with current methods.
However, hazard estimates are often little supported with site specific data.
Data is usually available for a period of the order of 100 years (or less).
Screening criteria typically approach the value of 1E-08/year.
Strong extrapolation using extreme value distributions inducing high uncertainty is necessary.
When engineering judgment is applied, the associated uncertainties have to be understood and addressed.
The information about the analyses of external hazard potential and on the related uncertainties, screening of hazards etc. was also included in more general papers presented in the other sessions, for example in
Estimation of frequency of occurrence of extreme natural external events of very high intensity on the base of (non)available data by J. Holý (ÚJV Řež) et.al. (Session 2),
Seismic Hazard Assessment and Uncertainties Treatment: Discussion on the current French regulation, practices and open issues by C. Berge-Thierry, CEA-Saclay, France (Session 2).
3.3 Session 2 - Specific Features of Analysis and Modeling of Particular Natural Hazards to be Improved
Four papers were presented in this session related to specific features of analysis and modelling of particular external hazards.
The first paper “Estimation of frequency of rare natural external events of very high intensity on the base of (non-)available data” by J. Holy (UJV Rez, Czech Republic), was devoted to the use of information from the design basis for natural external hazards for assessing initiating events frequency in PSA. Sparse historical data were analyzed with different probabilistic distributions and a Gumbel distribution was proposed as the best choice for the mathematical model of the potential to reach extreme parameters of high wind and heavy snow (in agreement with IAEA recommendations). The reason to select the distribution was that the other distributions under testing (three-parameters lognormal) provided unrealistic non-corservative estimates of parameters of external events with return period of 10 000 years. The conclusion is that the selection of probabilistic distribution and careful selection of the most suitable data source are important for more realistic assessment of external events frequency.
The second paper “External hazards in the PRA of Olkiluoto 1 and 2 NPP units - accidental oil spills” by L. Tunturivuori (TVO, Finland) presented the analysis of oil spills accidents with a functional and probabilistic approach (fault trees), taking into account the possible scenarios and the oil spills arrangements at Olkiluoto. This detailed approach led to a realistic assessment of the frequency and consequences of the oil spill event. It has made possible to evaluate the impact of the arrangements implemented by TVO, particularly to perform some safety improvements (installation of oil booms, automatic alarm).
26 NEA/CSNI/R(2014)9
The third paper “Current status and issues of external event PSA for extreme natural hazards after Fukushima accident” by In-Kil Choi (KAERI, Korea) outlined the important effort of Korean nuclear industry to improve the resistance of NPPs against large earthquakes and tsunamis. The paper described collection and use of specific data, risk assessment of the effects of several safety improvements, and research activities concerning earthquake and tsunami as well as other external hazards. The paper concluded that current more realistic assessment of external hazards risk allows evaluating the effective safety improvements notably after Fukushima.
The fourth paper “Realistic modeling of external flooding scenarios” by J. L. Brinkman (NRG, Netherlands) presented an analysis of external flooding in the Netherlands, with a detailed analysis of the real effects of the water level on flood protections (dikes, dunes, …), and the identification and probabilistic assessment of relevant scenarios. The analysis provided realistic evaluation of critical flooding level and the effects of protection measures. The paper provided a detailed discussion of important flooding induced failure modes of protective systems (not just overtopping) and pointed out a number of drawbacks of deterministic approaches to flooding protection, observing that scenarios involving less than design basis flooding levels could be important contributors to risk.
Although very different in scope and topics, these four papers had similarities in the objectives. The main idea was to develop methods and studies aiming to obtain more realistic risk assessments, neither too optimistic nor too conservative. These more realistic evaluations provide a better view on the real problems and also a better view on the impact of safety improvements. In fact, some safety improvements could not be covered with a too simplified and conservative approach (protection against oil spills in Finland, against tsunami in Korea, against external flooding in the Netherlands).
3.4 Session 3 - Practices and Research Efforts on Natural External Hazards PSA
There were four presentations in this session, one presentation by U.S. NRC, one presentation by GRS from Germany and two presentations by IRSN from France.
N. Siu from U.S. NRC made a presentation titled “Consideration of external hazards and multi-source interactions in the U.S.NRC’s site level 3 PSA project”. U.S.NRC launched a project in September 2011 to evaluate the total risk at a selected reference NPP (the Vogtle plant) according to the entire initiators, including external hazards. The scope of this risk evaluation was given as “reactor in all operational modes, including full power, low power and shutdown modes, spent fuel pool and dry cask storage, where all the internal and external hazards are considered”. As part of this study, an Integrated Site Risk Analysis (ISRA) addressing the combinations of and interactions between the different sources of radiological risk (reactors, spent fuel pool (SFP), dry casks) is underway. A number of modeling and implementation challenges were identified. The former include the problem of combinatorial explosion associated with the need to treat multiple sources over extended periods of time.
S. Sperbeck from GRS made a presentation titled “Recent research on natural hazards PSA in Germany and future need”. The German PSA Guide and its supplementary technical documents on PSA methods and data require PSA to be carried out within the periodic safety review (PSR). Since 2005, this also covers probabilistic analyses for some internal and external hazards. After the Fukushima Dai-ichi reactor accidents, it has been recommended that the safety assessment of a NPP does also contain a comprehensive Level 1 PSA for all internal and site-specific external hazards, so-called Hazards PSA (HPSA) and a methodology to perform HPSA is being developed accordingly. A systematic method aimed at identifying important hazard combinations and associated dependencies among PSA initiating events was presented. Hazard Equipment Lists (HEL) and Hazard Dependency Lists (HDL) were introduced, as a part of the new methodology, for all hazards which have to be analyzed in detail. These lists are used for a systematic (and partly automatic) extension of the fault trees in the Level 1 PSA quantification model.
27 NEA/CSNI/R(2014)9
P. Dupuy from IRSN made a presentation titled “Treatment of the loss of ultimate heat sink initiating events in the IRSN PSA”. The total loss of ultimate heat sink event was recognized to be induced by external hazards and affecting all the site’s units, considering the event at Cruas-4 in 2009 and the Fukushima Dai-ichi reactor accidents. The PSA model for total loss of ultimate heat sink was updated to reflect such items as longer recovery time of the heat sink, multi-unit impact, associated design improvement and symptom-based emergency procedures. After this update, the core damage frequency for the initiating event “loss of heat sink during full power operation" was reduced from 6.1E-06/r.y. to 5.5E- 07/r.y. The dominant accident sequence in the updated PSA corresponds to exhaustion of the secondary water reserves before heat sink recovery, which is a sequence involving multi-unit considerations and models.
G. Georgescu from IRSN made a presentation titled “PSA modeling of long-term accident sequences”. In French PSAs, even before the Fukushima Dai-ichi accidents, long-term accident sequences were taken into account. However, in the short-term, IRSN intends to enhance the modeling conditions of the “long-term” accident sequences induced by loss of the heat sink and/or the loss of external power supply. In past studies, a mission time longer than 24 hours was already assumed, and as long as 192 hours in the Flamanville-3 EPR’s “extreme wind” Level 1 PSA study. IRSN intends to promote a generic study which could be used as a benchmark methodology for assessing of the long-term accident sequences, mainly generated by external hazards and their combinations.
As described above, in the USA, Germany and France, PSA studies for long-term accident sequences caused by various external hazards are being promoted. The study challenges include:
Scope of the PSA: reactor in full power, low power, shutdown states, SFP and dry cask storage,
combination of external hazards,
mission time for long duration scenarios,
multi-unit impacts,
establishing screening procedures for analysis of site specific hazards.
3.5 Session 4 - Modeling of NPP Response to Natural Hazards in PSA
Session 4 was dedicated to those papers discussing examples of PSA projects from four different countries, where external hazards were modeled. Three papers concerned NPPs and one paper was devoted to a spent fuel interim storage facility.
The first presentation was made on the topic “External Events PSA for the Paks NPP (2012)” by T. Siklossy from NUBIKI, Hungary. The Hungarian nuclear safety regulatory body requires a risk assessment of external hazards beyond the design basis, up to the cut-off frequency of 1E-07 per reactor year. A quantitative risk assessment of external (not screened out) hazards was performed and plant CDF for some hazard categories were enumerated. The unscreened hazard categories included earthquakes, extreme winds, rainfall, snow, extremely high and low temperatures, frost and ice formation, as well as lightning, tornado, and blockage of water intake filters. The current PSA models include wind, snow and frost hazards for which plant CDF was calculated. Plant risk due to extreme rainfall and lightening was found insignificant. The scope of analysis includes shutdown states, as well as at-power operation. Unresolved issues and the needs for follow-up analyses were identified and proposed.
28 NEA/CSNI/R(2014)9
The second presentation was made by T. Kozlik, KKG, Switzerland on “Treatment of external events in the linked event tree methodology for Goesgen-Daeniken NPP”. This PWR type plant has an integrated PSA model based on the “linked event tree methodology”. The model is run by RISKMAN software which quantifies Level 1 and Level 2 PSA models for internal and external events. The scope of the external hazards analysis includes seismic events, extreme winds and tornados, external floods, and service water intake flooding. Other external hazards were screened out. The paper provided some details of the external flooding modeling and data used. After recent plant modifications, which included flood barriers, the CDF (and LERF) from external flooding were estimated to be negligible. There is an ongoing study aiming on reevaluation of seismic hazards in Switzerland (the PEGASOS refinement project).
The third presentation was made by M. Jaros, UJV Rez on the topic ”External events analysis in PSA studies for Czech NPPs”. In this presentation, external event analyses in PSAs of two NPPs - Dukovany and Temelin, were described. For both plants, external hazards have been gradually incorporated into the PSA models in the last decade. In 2008, the following external hazard categories were screened in for analysis in the NPP Dukovany PSA: storms, extreme high/low temperatures, extreme snow and wind, tornados and seismic events. Recently, a revision of the past selection and screening of external hazards for detailed analysis was done using the new EPRI methodology released in 2012 [22]. For the Temelin NPP, the screened in hazards (other than seismic) were found to be negligible contributors to plant risk.
The last presentation was made by T. Puukka, TVO, Finland, on the topic “The probabilistic risk analysis of external hazards of an interim storage for spent nuclear fuel in Olkiluoto.” This work is an example of non-reactor external hazards modeling. The study started in 2012, following the responses to the Fukushima event. A detailed analysis has been carried out, and 13 hazards (sea-related and others), and seismic events were included. Quantitative results were produced. Based on the results, specific improvements in the plant design were proposed.
The following observations can be made from the papers presented and the subsequent workshop discussion:
External hazards have been modeled in various NPP PSAs over the last decade, including events during shutdown and low power operation.
Many examples of plant (reactor and non-reactor) improvements due to external event analyses do exist.
Some organizations plan to use the external events (EE) PSA to quantify the impact of post Fukushima actions.
All organizations intend to develop EE PSA in a more systematic manner.
Level 2 EE PSA has not been systematically included into the scope of external events analysis.
Possible subjects for international cooperation should be discussed (such as screening, for example - criteria and results).
3.6 Session 5 – Seismic Risk Analysis
In the fifth session five contributions of four countries and one of the IAEA were presented. In this chapter, they are summarized first per contribution in an extended way followed by a summary of the major overall conclusions from this session.
29 NEA/CSNI/R(2014)9
The presentation “Guidance on implementing seismic PSA” by O. Coman, IAEA, was devoted to development of guidelines for implementation of a seismic PSA. If successful, these guidelines can close an important gap. ASME/ANS PRA standards and the related IAEA Safety Guide (IAEA NS-G-2.13 [23]) describe capability requirements for seismic PSA in order to support risk-informed applications. However, practical guidance on how to meet these requirements is limited. Such guidelines could significantly contribute to improving risk-informed safety demonstration, safety management and decision making. Extensions of this effort to further PSA areas, particularly to PSA for other external hazards, can enhance risk-informed applications.
The presentation “Seismic hazard assessment and uncertainties treatment regarding French regulation” by C. Berge-Thierry, CEA, France started with the fact that, based on the lessons learned from the Fukushima accidents, seismic design and safety analyses have been reviewed extensively in France, e.g. as a part of the EU Stress Test. Within this review, a thorough examination of current regulations and practices in seismic hazard assessment for NPP sites in France was made; several technical issues were identified that have to be further dealt with. In particular, the necessity of a full scope probabilistic seismic hazard assessment (PSHA) has been pointed out with an emphasis put upon including and quantifying the effects of epistemic uncertainties. Since national experience may be insufficient to fully cope with this task, the importance of international co-operation was highlighted in the presentation. It is recommended to further study in more details whether the new findings can be generalized and postulated as valid for other member states with NPP sites of moderate or low level of seismicity.
The presentation “Level-1 seismic probabilistic risk assessment for a PWR plant” by K. Kondo, JNES, Japan, was oriented to the development of seismic PSA models and risk quantification in pilot study for a Japan PWR. The probability of simultaneous correlated failures for multiple components has been evaluated in the study by using the power multiplier (PM) method presented in NUREG/CR-4840 [24]. The difference in CDF between the case of conventional PM and that of PM = 1 (complete dependence) was found quite small, only 3 %. However, the influence of PM on CDF increased up to 20 % if the impact of emergency core cooling system (ECCS) piping fragility was neglected. In the future, more realistic evaluations of correlated simultaneous failures are seen as desirable. It is noted, that a 20 % change in the CDF estimate can be expected at maximum in this seismic PSA.
The fourth presentation was “Seismic PRA of a BWR Plant” by M. Nishio, JNES, Japan, which described the seismic PSA performed for a BWR-5 plant and evaluated the dominant accident sequences leading to core and/or primary containment vessel (PCV) damage, in order to identify dominant scenarios of severe accidents. The analytical models and the results of Level 1 seismic PSA were presented. The initiating events with dominant contributions to CDF include the loss of all alternating sources of electric power (station blackout) and large LOCA. The most important accident sequence is the simultaneous occurrence of station blackout and large LOCA. Plant CDF can be lowered substantially by increasing the seismic capacity of the diesel generators. Follow-on activities to this seismic PSA may include (1) removal of some unnecessary conservatism, (2) refinement of success criteria for plants systems in response to seismic- induced transients and (3) inclusion of seismically induced tsunami in the analysis.
The last presentation was “Seismic design of non-reactor nuclear facilities” by M. Mummert, NUKEM, Germany. In M. Mummert’s proposal for a systematically structured approach to seismic safety and seismic classification of non-reactor nuclear facilities, an observation was made indicating less rigorous design and less safety analyses for such facilities in comparison to nuclear power plants. Although this finding cannot be fully generalized on the basis of isolated observations, the importance of external hazards PSA for non-reactor radiological sources has to be stressed. The Fukushima experience clearly confirms the validity of this finding. In the member states, a continuous development has been addressed in the scope of PSA over the past decades in terms of operating modes, initiating events/hazards and radiological sources. It is suggested that a full scope PSA should be pursued in all these aspects.
30 NEA/CSNI/R(2014)9
Some general conclusions can be drawn from the results and findings reported in the papers of Session 5. These conclusions address various technical issues of seismic risk analysis. Some of them may contribute, in a broader sense, to help advancing PSA for other types of external hazards, and risk-informed decision making involving considerations of risk from external hazards:
IAEA is developing a “how to do” document on implementing seismic PSA in order to provide technical guidance helping to meet the requirements of the ASME/ANS PRA standard [25] and IAEA Safety Guide NS-G-2.13 [23] for the support of risk-informed applications.
Implementation guidance for a broader scope of external hazards PSA as well as IAEA’s efforts to help with the extension of PSA models for internal and external hazards should contribute to improving risk-informed safety demonstrations, safety management and decision-making,
Comprehensive and critical reviews of seismic hazard assessments (SHA) have been found of paramount importance in France, which can be valid also for other countries to identify and close gaps in methodology including NPP sites with moderate or low seismicity,
An important response of the French authority and utilities to the Fukushima accident is an improvement of the Complementary Safety Studies (CSS) in order to complete the scenario based approach by probabilistic seismic hazard assessment (PSHA) with appropriate treatment of epistemic uncertainties,
Based on the results and findings from developing seismic PSA models for selected Japanese plant designs, the need to improve the quantification of correlated simultaneous failures has been highlighted.
The risk from seismic induced hazards has to be considered as well. Accordingly, the Atomic Energy Society of Japan (AESJ) is developing guidelines on tsunami PSA. Seismically induced consequential hazards may be an important risk factor even if the site is not vulnerable to tsunami with seismic induced fires and flooding being examples that typically need to be accounted for in a seismic PSA.
The use of a structured and systematic approach to seismic design and safety analysis is indispensable to ensure sufficient defense of non-reactor nuclear facilities against earthquakes.
3.7 Session 6- Use of external events PSA with the focus on regulatory body role
The papers of Session 6 gave an overview of the regulatory approach in Germany, USA, Canada, Japan and Finland regarding the PSA requirements and the development of regulation, focusing on external hazards and the impact of the Fukushima Dai-ichi accidents.
M. Krauß, BfS, Germany, described in his paper “Actual regulatory developments concerning the implementation of probabilistic safety analyzes for external hazards in Germany” how the recent activities in the context of the Fukushima Dai-ichi reactor accidents, such as the WENRA and new IAEA safety requirements and EU Stress Test, have influenced the revision of the German national nuclear safety regulations, completed in 2012. Additionally, the recommendations and guidelines of the German Nuclear Safety Standards Commission (KTA) and the expert group FAK PSA, an advisory board of the Federal Ministry of Environment, Nature Conservation and Nuclear Safety (BMU) led by the Federal Office for Radiation Protection (BFS), will provide new updates to the regulation in 2014. The activities of the updates have been focused to the natural hazards “earthquake” and “flooding” in the German regulations. However, explicit consideration of all natural hazards is required.
31 NEA/CSNI/R(2014)9
The second paper titled “Incorporation of All Hazard Categories into U.S. NRC PRA Model” by S. Sancaktar discussed how the U.S.NRC has incorporated additional hazard categories into a set of nuclear power plant PRA models (Standardized Plan Analysis Risk, SPAR models) prepared by the NRC’s Office of Nuclear Regulatory Research since 2004. Currently, there are 18 SPAR-AHZ models addressing additional hazard categories such internal flooding and fires, seismic and wind-related hazards. These models allow the U.S. NRC risk analysts to make independent quantitative estimates of event and plant risk.
Two additional activities being pursued currently at the U.S. NRC may further improve the completeness of the SPAR-AHZ models:
A better process to evaluate, and, if appropriate, include the impact of multiple and concurrent events in a PRA model, with emphasis put on seismically induced fire and flooding events,
a Level 3 PRA model study that includes multi-unit, multi-source events (e.g. spent fuel pool and storage casks, in addition to the reactor) covering all operational modes and hazards (see Section 3.4 of this report).
M. Xu from the Canadian Nuclear Safety Commission (CNSC) introduced CNSC’s Fukushima Actions Items (FAI) with respect to external hazards evaluation: FAI 2.1.1 Re-evaluation of external hazards and FAI 2.1.2 Re-evaluation of design protection against external hazards. Seismic events, external floods, high winds and consequential hazards are to be considered. These two FAIs also require the Canadian licensees to evaluate the cliff-edge effects corresponding to the WENRA Stress Test specifications and the U.S. NRC approach.
The fourth paper titled “Strategies towards Enterprising Development and Application of External Events PRA Standards in Japan” by K. Kondo, JNES discussed the background and development of PRA standards (Levels 1, 2 and 3) in Japan with the focus on external hazards PRA standards. A standard for procedures of seismic PRA was issued in September 2007, implementation standards for tsunami in February 2012 and the standard for internal flooding in November 2012. The development of standards is ongoing, including new standards for fires and quality of PRA, and additional revisions of the existing standards to cover consequential events and shutdown states. Japanese experts strongly emphasize the importance of the assessment of external hazards.
The fifth paper titled “The Role of External Events PSA in the Finnish Regulatory Approach“ by J. Sandberg, Radiation and Nuclear Safety Authority (STUK), Department of Nuclear Reactor Regulation, Finland gave an overview of the Finnish regulatory basis on PSA with the focus on external hazards. PSA has widely been used in Finland to support regulatory decision making since the late 1980es. Seismic hazards, harsh weather conditions and other off-site external hazards were included in the PSA models of the operating units in the 1990es and several updates and extensions have been carried out since then. For new units, a preliminary full scope PSA is required in the design phase, which shall be refined during construction. PSA and, in particular, external hazards PSA has proven to be an important tool in safety management and regulation in Finland. The licensee’s positive attitude has resulted in long-term commitment on development and application of PSA, active development of PSA methods, and additionally created in-house expertise and understanding of plant and site specific issues.
The following main conclusions can be drawn based on the presented papers:
Although probabilistic methods for assessing risks of internal events have been commonly required on regulatory basis, requirements for addressing external hazards were mainly restricted to the assessment of seismic impact on the plant.
32 NEA/CSNI/R(2014)9
Lessons learned from the Fukushima Dai-ichi reactor accidents and related actions at national, European and global level have emphasized the importance to assess risks associated with all natural hazards, combinations of those and their impact on plant sites with several units.
Based on the papers of the workshop, regulators in many countries have taken actions to include external seismic risk, external flooding, and (to some, generally different level, the other external hazards) in PSA practices and safety regulations; national safety requirements have been re- evaluated and development is still ongoing.
Finland is an example of a country having long traditions and broad experience in requiring and using external hazards PSA including seismic, external flooding and other natural hazards, as an integral part of PSA and decision making.
3.8 Facilitated Discussions
Two facilitated discussions were held during the workshop on the following general topics:
Where do we stand in risk analysis of external events?
Findings and good practices for external events analysis.
The first discussion was facilitated by J. Holy, the second one by N. Siu.
3.8.1 Status of External Hazards PSA – Selected Topics
Regarding the status of external hazards PSA, important aspects of the following topics were addressed in the discussions:
vulnerability and fragility analysis,
PSA modeling and analysis of strong external events impacting more than one unit located at a plant site,
specific features of plant operation regimes (low power and shutdown) analysis,
human reliability analysis,
extended duration scenarios,
combined external hazards, and
climate change.
Vulnerability and fragility analysis
The simple concept of fragility (as a scalar) is very useful in seismic PSA, but can be more problematic in other situations where the hazard needs to be characterized by a number of parameters. For example, the treatment of wind-driven missiles needs to consider speed and angle, as well as the physical characteristics of the missile. As another example, a detailed treatment of floods needs to consider, in addition to water level, such things as dynamic forces, persistence, and the potential for clogging. In addition, new
33 NEA/CSNI/R(2014)9
challenges have to be addressed also in the area of fragility analysis of (non-seismic) events as extreme snow, extreme wind, extremely heavy rain and other external hazards.
The vulnerability and fragility analysis should address correlation effects and consequent damage (e.g., the impact of generated missiles). However, both methodological support and the volume of useful information defining good practices are very limited. There is a need for methodological improvements and guidance to address a these issues.
More generally, there is a need for methodological developments and associated PSA guides and standards to address non-seismic fragilities. Generic and hazard-specific guidance could help, for example, PSA analysts attempting to develop fragilities for lightning-induced events based on information provided in industrial standards for lightning protection.
There is a need for an authoritative, common source of information (e.g., references or a database) on fragilities covering the wide range of external hazards that need to be considered.
Multiunit effects
Multi-unit effects analysis is another area requiring consideration of the correlation of component failures due to the shared characteristics of similar components located at different units impacted by the external event. Methodological support is limited, and some guide or standard would be extremely useful.
Consideration of the potentially site-wide effects of external hazards also brings some new specific methodology issues, particularly related to dependency, human factors, success criteria etc.
Limitations in plant resources to manage multiunit events should be addressed carefully (as there may be no help available from another unit on site).
The establishment of appropriate safety goals for multiunit events remains a challenge (albeit a challenge not unique to external hazards PSA).
External events PSA for various operation regimes and non-reactor sources of risk
A number of workshop presentations indicated some degree of coverage of external hazards analysis for non-power modes of operation and some papers explicitly addressed analyses for storage facilities. It is important to look beyond reactors when assessing the risk from external hazards.
From a Level 2 PSA perspective, it is important to recognize that for some non-reactor sources (e.g., spent fuel pools) physical barriers to radiological release (e.g., a fuel handling building) may be damaged by an external event.
Human reliability analysis in external events PSA
HRA methodologies developed and used in internal events analysis will have to be modified for intended applications in external events PSA. This big challenge will include not only quantification, but also task analysis and modeling, including addressing new performance shaping factors (in applications of generation 1 HRA methods) or new elements of the error forcing context (in applications of generation 2 HRA methods).
In general, external events PSA may need to put more emphasis on organizational and managerial aspects of plant response than PSA for internal events. Instead of a fixed, well elaborated (control room)
34 NEA/CSNI/R(2014)9
environment, the key human actions may be performed under highly dynamic and not very crew friendly circumstances.
The strong call for harmonization of HRA methods used worldwide has resulted in such international activities as the International Empirical HRA Study [26]. Harmonization efforts should be extended to cover HRA performed within external events PSA.
Long duration scenarios and the most suitable scope of the model in external events PSA
A clear treatment of long duration scenarios needs a clear definition of what is meant by “long duration.” This definition is dependent on the definition of what is considered to be a safe and stable state, and also on the purpose of the analysis. Regarding purpose, for example, the analysis timeframe for a baseline PSA analysis used to support routine risk-informed applications may differ from that for an analysis performed to identify potential vulnerabilities at a damaged site (actual or hypothetical).The time duration of accident scenarios modeled and quantified in an external events PSA significantly influences the scope of the analysis and the resources needed. Due to the potentially large-scale onsite and off-site consequences of external events that can hinder recovery efforts, the common assumption of a 24 hour mission time frame needs to be re-examined.
The length of the time interval modeled in various PSAs, and even in the same PSA for different external initiating events, should not be fixed as constant; rather it should be established in accordance with the character of the scenario. In principle, the scenario should be modeled up to the point where the final plant status (as defined in PSA) can be clearly put into one of a number of pre-defined categories (stabilized plant, core damage etc.). However, such an approach can lead to a difficult analysis involving explicit modeling of a very long time interval.
Long-term scenarios represent a specific problem for HRA. The challenges include the treatment of organizational response, for which current methods are still rudimentary.
Plant response to the events caused by combined external hazards
As also recognized in a number of workshop presentations, it is important to address combinations of external hazards in external events analysis. Given the multiplicity of potential combinations, such an analysis should be carried out in systematic manner (e.g., by matrix of possible external events combinations). Examples of systematic approaches to identification of risk important combinations of external hazards were presented in Session 1 and Session 3 of the workshop.
It is also important to recognize the potential risk significance of consequential hazards induced by the external event. It was noted that seismically-induced fires and floods are being addressed in Canadian PSAs.
Screening methods play a large role in external events PSA. Systematic approaches that search for and then screen, as appropriate, potentially important combinations of external hazards are needed.
Climate change effects
Although there was general agreement that climate change and its implications for external events PSA was an important discussion topic, there were mixed views regarding the urgency of its explicit treatment in PSA.
As also discussed at the NRC’s PFHA workshop (see Section 2.1), estimates of the frequency-magnitude relationship for extreme, natural meteorological events are subject to very large uncertainties, even when
35 NEA/CSNI/R(2014)9
climate change is not taken into consideration. Climate change considerations introduce additional uncertainty that may or may not be significant.
Further, it was emphasized that addressing climate changes in external hazards PSA represents a major challenge for the process of deriving (external hazard induced) initiating event frequencies. Addressing climate change means adding (at least) one more parameter into the frequency model and this parameter has to be estimated on the basis of available data.
Recognizing the potential importance of climate change effects on some risk-informed decisions (e.g., those requiring consideration of risk projections for extended time periods), it was suggested that WGRISK continue to monitor the state of the science, possibly addressing the topic through a technical discussion at an upcoming annual meeting. This suggestion echoes a similar recommendation made in the 2009 WGRISK report on PSA for non-seismic external events [3].
As indicated by an NEA representative, the NEA opened a new project addressing economic and safety consequences of climate changes in operation of nuclear power plants in the future [6]. The plan for this new project that addresses safety aspects does not specifically identify PSA as a subject to pursue. However, the idea that PSA may be usable tool has been supported in climate change project meetings.
3.8.2 Good Practices in External Events PSA
Regarding good practices for external events PSA, the workshop participants identified the following:
challenge assumptions,
calibrate models,
account for underlying physical processes ,
ensure treatment of dependencies,
work in multidisciplinary teams,
disseminate information.
A number of these were illustrated with practical examples in the workshop presentations or discussions.
Challenge assumptions
Most of current external event PSAs start with a standard list of events (e.g., see NUREG-1407 [27], ASME/ANS Ra-2009a [25], and IAEA Specific Safety Guide SSG-3 [28]) and then screen out events that are unlikely to be important risk contributors. The analysis should consider whether these standard lists should be supplemented by more recently identified potential hazards (e.g., coronal mass ejections). The analysis should also pay strong attention to combinations of events, especially when these events are correlated. Examples of such combinations were presented by a number of papers during the workshop.
The analysis should search for conditions that would make a situation worse and those that could increase dependencies between the external hazard and mitigating actions. As an example of the first, reduced staffing or even attention levels during night shifts could slow the identification and notification of offsite emergencies. As an example of the second, the occurrence of a storm could increase the likelihood of an
36 NEA/CSNI/R(2014)9
offshore shipping accident and also increase the failure probability for deploying booms intended to protect against oil spills.
The analysis should consider the effects of potentially relevant trends. In the case of external event PSA, these include changes in weather due to climate change, changes in relevant transportation patterns (e.g., shipping loads and frequency, commercial aircraft routing), and changes in plant technology (e.g., increased use of digital technology, increasing the potential vulnerability to electromagnetic disturbances). Particular attention should be paid to the effects of these trends on combinations of external hazards.
Calibrate models
Given the relatively short historical record available and the need to estimate the likelihood of external hazards with long return periods, the analysis should include all relevant evidence, including paleo evidence when available.
In some situations (e.g., regarding flow from breached dams), experimental data are available and should be factored into the analysis.
A number of external hazards PSAs have been performed worldwide. It would be useful to compare analyses performed for similar hazards (e.g., lightning) to develop lessons (e.g., regarding the screening, or not, of such hazards) useful for other analyses.
Account for underlying physical processes
It is important to ensure that the probabilistic models used in PSA appropriately reflect the underlying physics of the situation. Thus, for example, a fragility analysis for a watertight door should account for the dynamic forces acting on that door – a tsunami will likely present a very different situation than a pipe break.
Although the binary logic modeling approach used in most PSA models is extremely useful, care must be taken that it not be used to oversimplify the performance or communication of an analysis. For example, as explained by Brinkman (see Section 3.3), overtopping is just one failure mode for a dyke. In fact, it isn’t the most likely failure mode. Combined with the fact that a plant’s response will differ with different flooding levels, the intuitive notion of a flooding “cliff edge” needs to be employed with caution.
As previously discussed, external hazards often are characterized by multiple parameters. These parameters, some of which may affect operator actions, should be treated explicitly in a detailed external hazard PSA.
A number of external hazards (e.g., riverine flooding) can involve significant build-up times before dangerous hazard levels are reached. Treatment of the associated warning time can improve the realism of the analysis.
Functional analysis can be performed to assess PSA mission times. Such an analysis is not yet routinely performed but is needed to provide a stronger basis for, or replacement of, generic values (e.g., 24 hours, 72 hours) used in most current PSAs.
37 NEA/CSNI/R(2014)9
Ensure treatment of dependencies2
Seismically induced fires and floods provide particularly challenging examples of potentially dependent events. Guidance for performing quantitative analysis has been developed by EPRI and used in Canada.
Other, well-recognized hazard combinations that can lead to dependent failures include storm-driven high winds and flooding (e.g., Blayais, 1999) and earthquakes and tsunamis (e.g., Fukushima, 2011). Sperbeck (see Section 3.4) presented a systematic method aimed at identifying important hazard combinations and associated dependencies among PSA initiating events.
Work in multidisciplinary teams
The complete treatment of external hazards involves multiple scientific and engineering fields. Multidisciplinary teams are needed to ensure appropriate use of the results from these fields in an external event PSA. In addition to experts on hazards and fragilities, these teams should include participants with expertise in plant operations, who will have first-hand knowledge regarding how a plant is expected to respond to an external event, as well potentially direct experience with actual events.
It should be recognized that some technical disciplines have approaches and perspectives that are not entirely consistent with the needs of an external events PSA. For example, some flooding hazards experts do not support the development of predictions for floods with return periods much greater than the available historical record (perhaps as supplemented with paleo evidence).
Disseminate information
To assist with the continued improvement and harmonization of external events PSA, it is important that the PSA community continue and even enhance efforts to share information on methods, models, tools, data, and results.
Because external events PSA deals with a wide range of hazards, an analysis requires input from many technical communities. It is therefore important that the external events PSA community be kept aware of developments in other, related communities, even in cases where the developments involve deterministic analyses (e.g., numerical predictions of tsunami heights).
Similarly, because other technical communities will benefit from knowing how their models and analyses are used in external events PSA, it is important that these communities be kept aware of external events PSA developments.
Intermediate results of external events PSA (e.g., the frequency and consequences of extreme flooding events) can be useful to non-nuclear risk managers. Even in cases where an external event is demonstrated to pose an insignificant threat to a nuclear facility, consideration should be given to sharing pertinent information with organizations with relevant risk management responsibilities.
2 Editors’ Note: the proper treatment of dependencies is widely recognized as being fundamental to PSA and much of the workshops’ discussions addressed different aspects of this topic. Due to time limitations, the facilitated discussion did not address additional, specific good practices beyond the few identified in this section.
38 NEA/CSNI/R(2014)9
3.8.3 Other Discussion Points
Particularly in the Post-Fukushima era, the examples of successful and useful applications of PSA are very valuable. A number of such examples was presented in papers during the workshop and further commented during facilitated discussions:
In one case (the flood induced biofouling and loss of ultimate heat sink at Cruas 4 in 2009 – see Dupuy paper, Section 3.4), emergency operating procedure changes suggested by a pre-event PSA led to improved management of the actual event,
The papers presented in the workshop provided numerous examples where external events PSA was used to support plant design and operations improvements,
The workshop papers and discussions also provided numerous examples where deterministic analyses of external hazards led to improvements; this illustrates the complementarity of the probabilistic and deterministic approaches and the value of a risk-informed approach to decision making.
39 NEA/CSNI/R(2014)9
4. Conclusions and Recommendations
The following conclusions can be made based on workshop presentations, discussions during particular sessions, including final and opening sessions, and two facilitated discussions.
4.1 Status of External Hazards PSA Including Recent Developments
Regulatory Framework
Lessons learned from the Fukushima Dai-ichi reactor accidents and related actions at national, European and global level have emphasized the importance to assess risks associated with external hazards (including combinations of these hazards) and their impacts on a plant site (possibly with several units).
Regulators in most countries have taken actions to include seismic and flooding risk, and, to some level, some other specific external hazards in national PSA practices and safety regulations. The development of systematic approaches for addressing external hazards completely in PSA practices is still ongoing.
An important response of the French authority and utility to the Fukushima accidents is an improvement of the Complementary Safety Studies (CSS) in order to complement the scenario based approach by probabilistic seismic hazard assessment (PSHA). The existing national safety requirements have been re- evaluated and revised on the basis of recent experiences regarding consideration of multi-unit effects, duration of an event, and fuel storage facilities.
Finland represents an example of a country having long traditions with good experiences in requiring and using external hazards PSA including seismic, external flooding and other external hazards, as an integral part of the PSA and decision making.
The current role of external hazards PSA in the regulatory framework varies from country to country depending on the local conditions, operating experiences and the type of relevant hazards. In some countries adequate deterministic requirements for protection against earthquakes or other external hazards did not exist when the operating reactors were built and the external hazards have been later analyzed in the PSA framework. In other countries the emphasis has been on deterministic design requirements.
Models, methods, tools and data
Useful hazard estimates can be determined with current methods and used in applications in the processes of risk oriented decision making.
Development of methods and preparation of studies aiming to obtain realistic risk assessments, neither too optimistic nor too much conservative, is a key issue. These more realistic evaluations would provide a better view on the real problems and also a better view on the interest of safety improvements.
In fact, some recent safety improvements could not be performed with a too simplified and conservative approach. Protection against oil spills in Finland, against tsunami in Korea, against external flooding in the Netherlands can serve as suitable examples. These case studies give examples of successful PSA applications proving that detailed realistic analyses are needed.
Standards and guidance
Recently developed methods and guides are available for seismic hazard determination, identification of external hazards and screening of external hazards for detailed consequent analysis. Several lists of screening criteria are available. The methods of Probabilistic Seismic Hazards Assessment (PSHA) have
40 NEA/CSNI/R(2014)9
been developed and used in practice for several decades and they have been well documented and described in relevant Standards.
Risk from seismically induced hazards has to be considered as well. Accordingly, AESJ has developed a standard on tsunami PSA [29]. Seismically induced consequential hazards may be a risk factor for those sites that are not sensitive to tsunami. Seismically induced fires and flooding are examples that typically need to be accounted for in a seismic PSA.
Comprehensive and critical overviews of seismic hazard assessments (SHA) have been realized as important in France, which can be valid also for other countries. IAEA is developing ”how to do” document on implementing seismic PSA in order to provide technical guidance to help to meet requirements IAEA Safety Guide NS-G-2.13 in support of risk-informed applications. IAEA activities aim at integrating PSA models for internal and external events/hazards that also should contribute to improving risk-informed safety demonstration, safety management and decision-making.
Good practices
The following external hazards PSA good practices were demonstrated by the presentations made during this workshop (and applicable to PSA in general, not just for external hazards PSA).
Challenging assumptions,
calibrating models,
accounting for underlying physical processes,
treating dependencies ,
involving multidisciplinary teams,
disseminating information promptly and broadly.
Applications
External hazards analysis methods have been used recently to evaluate operating NPP units and to identify needs for modification of plant systems and procedures as well as to support design of new plants
The external hazards risk contribution has been modeled in many NPP PSA (at least for some external hazards) over the last decade, including events occurring during shutdown and low power operation.
Examples of external hazards analyses and plant reactor (and non-reactor) improvements following the results of the analyses were given during this workshop. Details can be found in Appendix 3 of this report.
41 NEA/CSNI/R(2014)9
4.2 Challenges in External Hazards Analysis Methods and Organization
Methodological and technical challenges
In general, there are a number of significant technical challenges for external hazards PSA covering various areas of PSA, which include, for example:
multi-unit impacts,
combination of external hazards,
fragility analysis of non-seismic external hazards,
correlation effects and consequent damage scenarios,
HRA for external hazards PSA, including organizational and managerial aspects,
mission times for long-term scenarios,
effects of climate change on the derivation of hazard frequencies and magnitudes,
A significant challenge is data analysis, particularly estimation of the initiating event frequency. For many hazard estimates, observational data (sometimes including paleo information) data are commonly available, usually for a period of the order of 100 years. However, risk-related screening criteria can be far beyond the range of observation. As a consequence, strong “distant” extrapolations using extreme value distributions are necessary, typical resulting in high uncertainty in the final quantitative results.
Identification of correlations between external hazards is another important point. The combinations of simultaneous or successive external hazards may result in increased loadings on SSCs or they may simultaneously endanger diverse safety systems. Formal mathematical methods to treat the probabilities of correlated hazards are available but the quantification of the model parameters is a big challenge.
Based on the results and findings from seismic PSA models developed for selected Japanese plant designs, the need to improve the quantification of correlated simultaneous failures has been highlighted.
Scope and organizational challenges (topics suitable for international cooperation)
There are still some challenges ahead in a scope of external hazards PSA, e.g. SFP and dry cask storage have not been systematically addressed yet so as Level 2 external hazards PSA. Screening criteria and results (of the screening) have not been harmonized over the subjects participating in external hazards analysis and to some difference from internal events PSA, external hazards related operating experience has not been more systematically interchanged between utilities.
Use of a structured and systematic approach is indispensable to ensure sufficient defense of non-reactor nuclear facilities against earthquakes. A seismic classification for non-reactor nuclear facilities is being proposed and discussed nowadays.
The broad scope and organizational challenges appear to be:
42 NEA/CSNI/R(2014)9
increasing the scope of external hazards PSA to match internal events (recognizing resource limitations);
ensuring appropriate interactions with the appropriate scientific/technical communities;
ensuring appropriate use in safety-related decision making, including challenges related to quality and acceptance of external hazards PSA.
4.3 General Conclusions Regarding the Future Role of WGRISK
The contributions presented and the discussions organized during the international workshop on PSA of Natural External Hazards Including Earthquakes, hosted by UJV Rez, on June 17-19, 2013, in Prague, Czech Republic, provided valuable input for strengthening the role of WGRISK in supporting the development and application of probabilistic safety assessment and risk-oriented decision making methods in the area of external hazards.
The workshop supported the key general objectives of current WGRISK activities carried out in the frame of the CSNI task on “PSA of Natural External Hazards Including Earthquakes”, i.e. to collect and exchange information from OECD member states on the methods and approaches used in probabilistic safety assessment in this area. It is obvious that the orientation of WGRISK to such an important topic should continue in the future. Since the development of systematic approaches for addressing external hazards completely in PSA practices is still ongoing and will not be finished soon, WGRISK can play useful role in the process of comparison and harmonization of the approaches used by the research and development teams in the individual OECD member countries.
Although the area of natural external events is very broad and covers many themes, some of them should be given priority. Concrete examples of such topics include: external hazards impact on the plant operated in low power or shutdown regimes, impact of combined and induced external hazards, modeling of long- duration scenarios, where the uncertainty of scenario progression and final plant status is high, and the impact of severe natural external events on sites with several units.
A successful solution of these challenges and the development of appropriate user-friendly approaches can increase the credibility of PSA as a tool covering not only internal events, but also more complex impact of natural events of high intensity. This should be done in such a way that both the needs of utilities and regulatory bodies are taken into consideration. The lessons learned from the Fukushima Dai-ichi reactor accidents and related actions at national, regional, and global level may be also included into the knowledge base used in support of external hazards analysis. For example, one lesson is that the analysis and data should not be limited only to individual plant units; information is needed regarding the site as a whole, including all dependent effects and impacts.
Recognizing the impetus for action provided by actual operational events (including the Fort Calhoun flooding as well as the Fukushima Dai-ichi reactor accidents), it has appeared that WGRISK can provide stronger (and better-focused) cases for action by increasing its use of operating experience feedback. Among other things, this could imply strengthening ties with associated international working groups, particularly the NEA/Committee of Nuclear Regulatory Authorities (CNRA) Working Group on Operating Experience (WGOE).
An additional action for WGRISK suggested by the review concerns the tracking of past recommendations. It appears that increased efforts by the WGRISK leadership to systematically track and disposition report recommendations would help ensure that each task performed by the group more strongly supports the group’s overall objectives, and would help WGRISK improve its strategic planning processes.
43 NEA/CSNI/R(2014)9
In general, due to high importance of external hazards risk analysis, a WGRISK should consider initiating further activities in this area. For example, a future task to cover (partly or completely) the area of man- induced external hazards, which has been shown in some plant specific studies to be an important contributor to risk, could be considered.
Given the current pace of activity in this area, ways for WGRISK to continue information sharing on topics connected with natural external events should be considered. One possibility is to update the information contained in CSNI NEA report “Probabilistic Safety Analysis of other External Events than Earthquake” in March, 2009 [2] by gathering new information via a survey questionnaire. As new important events have happened since that time, including the Fukushima Dai-ichi reactor accidents, such an update could provide new valuable information and conclusions regarding external events.
Moreover, in the CSNI framework, WGRISK could provide a contribution to the newly created Task Group on Natural External Events for including a risk aspect.
Finally, it should be pointed out that WGRISK is, first and foremost an information sharing entity. The group does not take actions that directly affect nuclear safety, nor does it develop safety standards used by member organizations to ensure safety. However, of course, the information developed and shared by WGRISK is potentially useful to both of these activities. It appears that strengthening WGRISK’s ties with IAEA (which participates in WGRISK meetings) and other standards-setting organizations could help WGRISK (both in ensuring use of its products and in identifying areas of need) and these other organizations (by providing information supporting improved standards and guidance).
44 NEA/CSNI/R(2014)9
5. References
[1] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Specialist Meeting on the Seismic Probabilistic Safety Assessment of Nuclear Facilities, Jeju Island, Republic of Korea, 6-8 November 2006, NEA/CSNI/R(2007)14, Paris, France, November 2007
[2] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Proceedings of the Workshop on Recent Findings and Developments in Probabilistic Seismic Hazards Analysis (PSHA) Methodologies and Applications, Lyon, France, 7-9 April 2008, NEA/CSNI/R(2009)1, Paris, France, August 2009
[3] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Probabilistic Safety Analysis (PSA) of Other External Events Than Earthquake, NEA/CSNI/R(2009)4, Paris, France, May 2009
[4] American Nuclear Society (ANS), External Events in PRA Methodology, ANSI/ANS 58.21-2003, 2003
[5] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Use and Development of Probabilistic Safety Assessment: An Overview of the Situation at the End of 2010, NEA/CSNI/R(2012)11, Paris, France, December 2012
[6] Siu N., Coyne K., Lanore J.-M., Roewekamp M., Amri A., Fukushima Dai-ichi: WGRISK pre- and post-event activities, ANS PSA 2013 International Topical Meeting on Probabilistic Safety Assessment and Analysis, Columbia, SC, USA, September 22-26, 2013
[7] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), State-of-the-Art Report on the Current Status of Methodologies for Seismic PSA, NEA/CSNI/R(97)22, Paris, France, March 1998
[8] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Proceedings of the OECD/NEA Workshop on Seismic Risk, 10-12 August 1999, Tokyo, Japan, NEA/CSNI/R(99)28, Paris, France, November 2000
[9] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Seismic Probabilistic Safety Assessment for Nuclear Facilities, CSNI Technical Opinion Paper 2, Paris, France, September 2002
[10] Hakata T., Seismic PSA Methodology for Multi-Unit Sites, Proceedings of the OECD/NEA Workshop on Seismic Risk, 10-12 August 1999, Tokyo, Japan, NEA/CSNI/R(99)28, Paris, France, November 2000
[11] Ogura K., Fukuda M., Sakagami M., and Ebisawa K., Japan: Accidence Sequence Study for Seismic Event at the Multi-Unit Site, Proceedings of the OECD/NEA Workshop on Seismic Risk, 10-12 August 1999, Tokyo, Japan, NEA/CSNI/R(99)28, Paris, France, November 2000
[12] Tsutsumi H., Nanba H., Motohasi S., Ebisawa K., Development of Seismic PSA Methodology Considering Aftershock, Proceedings of the OECD/NEA Workshop on Seismic Risk, 10-12 August 1999, Tokyo, Japan, NEA/CSNI/R(99)28, Paris, France, November 2000
45 NEA/CSNI/R(2014)9
[13] International Atomic Energy Agency (IAEA), Programme: International Workshop on External Flooding Hazards at Nuclear Power Sites, 29 August – 2 September, 2005 (available from http://www.iaea.org/newscenter/news/pdf/tsunamiprog.pdf)
[14] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), The Use and Development of Probabilistic Safety Assessment in NEA Member Countries, NEA/CSNI/R(2002)18, Paris, France, July 2002.
[15] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Use and Development of Probabilistic Safety Assessment, NEA/CSNI/R(2007)12, Paris, France, November 2007
[16] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Fire Risk Analysis, Fire Simulation, Fire Spreading and Impact of Smoke and Heat on Instrumentation Electronics: State-of-the-Art Report, NEA/CSNI/R(1999)27, February 2000
[17] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Proceedings of OECD/NEA Workshop on Fire Risk, 26 June-2 July 1999, Helsinki, Finland, NEA/CSNI/R(1999)26, June 2000
[18] Organisation for Economic Co-operation and Development (OECD), Nuclear Energy Agency (NEA), Fire Probabilistic Safety Assessment for Nuclear Facilities, CSNI Technical Opinion Paper 1, Paris, September 2002
[19] Gorbatchev A., Mattéi J.M., Rebour V., Vial E., Report on flooding of Le Blayais power plant on 27 December 1999, EUROSAFE Forum 2000, Institut de Radioprotection et Sécurité Nucléaire (IRSN), France
[20] International Atomic Energy Agency (IAEA) “Earthquakes and associated topics in relation to nuclear power plant siting”, Safety Guide 50-SG-S1,Vienna, 1979
[21] International Atomic Energy Agency (IAEA) “Seismic Hazards in Site Evaluation for Nuclear Installations”, SSG-9, Vienna, 2010
[22] EPRI, “Identification of External Hazards for Analysis in Probabilistic Risk Assessment”, TR 1022997, December 2011
[23] International Atomic Energy Agency (IAEA) “Evaluation of Seismic Safety for Existing Nuclear Installations”, NS-G-2.13, Vienna, 2009
[24] U.S. Nuclear Regulatory Commission „Procedures for the External Event Core Damage Frequency Analyses for NUREG-1150”, NUREG/CR-4840, SANDS88-3102, November 1990,
[25] ASME/ANS, “Addenda to ASME/ANS RA-S-2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications”, RA-Sa-2009, U.S.A. 2009
[26] U.S. Nuclear Regulatory Commission “International HRA Emprical Study Report”, NUREG/IA- 0216, Washington, U.S.A., November 2009
46 NEA/CSNI/R(2014)9
[27] U.S. Nuclear Regulatory Commission „Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities, NUREG-1407, June 1991
[28] International Atomic Energy Agency (IAEA), “Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants”, SSG-3, Vienna 2010
[29] Implementation Standard Concerning the Tsunami Probabilistic Risk Assessment of Nuclear Power Plants: 2011(AESJ-SC-RK004E:2011), April 2013
47 NEA/CSNI/R(2014)9
48 NEA/CSNI/R(2014)9
OECD/NEA COMMITTEE ON THE SAFETY OF NUCLEAR INSTALLATIONS (CSNI)
PSA OF NATURAL EXTERNAL HAZARDS INCLUDING EARTHQUAKE APPENDICES
June 17-20, 2013 Prague, Czech Republic
49 NEA/CSNI/R(2014)9
50 NEA/CSNI/R(2014)9
List of content
APPENDICES
1. LIST OF PARTICIPANTS
2. WORKSHOP AGENDA
3. PAPERS/PRESENTATIONS
OPENING SESSION
SESSION 1 ANALYSIS OF EXTERNAL HAZARDS POTENTIAL
SESSION 2 SPECIFIC FEATURES OF ANALYSIS AND MODELING OF PARTICULAR NATURAL EXTERNAL HAZARDS
SESSION 3 PRACTICES AND RESEARCH EFFORTS ON NATURAL EXTERNAL EVENTS SESSION 4 MODELING OF NPP RESPONSE TO NATURAL EXTERNAL EVENTS IN PSA SESSION 5 SEISMIC RISK ANALYSIS SESSION 6 USE OF EXTERNAL EVENTS PSA WITH THE FOCUS ON REGULATORY BODY ROLE
CLOSING SESSION
51 NEA/CSNI/R(2014)9
52 NEA/CSNI/R(2014)9
LIST OF PARTICIPANTS
53 NEA/CSNI/R(2014)9
BELGIUM Dries Gryffroy Telephone No: +32 / (0)2 528 02 62 Bel V E-mail Address: [email protected] Rue Walcourt 148 B-1070 Brussels
CANADA Michael Xu Telephone No: +613-943-0015 Canadian Nuclear Safety Commission (CNSC) E-mail Address: [email protected] Ottawa Ontario
CZECH REPUBLIC Jaroslav Holy Telephone No: +420266172167 E- UJV Rez, a. s. mail Address: [email protected] Hlavni 130 Husinec Rez, 250 68
Milan Hladky Telephone No. +420581101111 ČEZ, a. s. E-mail Address: [email protected] NPP Dukovany
Jozef Misak Telephone No: +420266173655 UJV Rez, a. s. E-mail Address: [email protected] Hlavni 130 Husinec Rez, 250 68
Milan Jaros Telephone No: +420266172373 E- UJV Rez, a. s. mail Address: [email protected] Hlavni 130 Husinec Rez, 250 68
Ladislav Pecinka Telephone No: +420266172610 E- UJV Rez, a. s. mail Address: [email protected] Hlavni 130 Husinec Rez, 250 68
Milan Patrik Telephone No: +420266173560 E- UJV Rez, a. s. mail Address: [email protected] Hlavni 130 Husinec Rez, 250 68
FINLAND Juho Helander Telephone No: +358 20 757 8407 Fennovoima Oy E-mail Salmisaarenaukio 1 Address:[email protected] 00180 Helsinki
54 NEA/CSNI/R(2014)9
Ulla Vuorio Telephone No: +35840 0887635 Radiation and Nuclera Safety Authority - – STUK E-mail Address: [email protected] PO BOX 14 FI-00881 Helsinky
Tiia Puukka Telephone No: +358503444831 Teollisuuden Voima OYJ E-mail Address: [email protected] Olkiluoto FI-27160 EURAJOKI
Jorma Sandberg Telephone No: +358 40 1520178 Radiation and Nuclera Safety Authority - – STUK E-mail Address: [email protected] PO BOX 14 FI-00881 Helsinki
Lasse Tunturivuori Telephone No: +358 (02) 83811 Teollisuuden Voima OYJ E-mail Address: Olkiluoto [email protected] FI-27160 EURAJOKI
FRANCE Patricia Dupuy Telephone No: +33158358983 IRSN E-mail Address: [email protected] B.P. 17 92262 Fontenay-aux-Roses CEDEX
Gabriel Georgescu Telephone No: +33158358108 IRSN E-mail Address: [email protected] B.P. 17 92262 Fontenay-aux-Roses CEDEX
Marie Gallois Telephone No: +33 1 47 65 41 73 EDF R&D E-mail Address: [email protected] 1 avenue du Général de Gaulle 91440 Clamart Cedex
Jeanne-Marie Lanore Telephone No: +33158357648 IRSN E-mail Address: [email protected] BP17 92262 Fontenay-aux-Roses CEDEX
Catherine BERGE-THIERRY Telephone No: +33169086655 CEA E-mail Address: catherine.berge- DEN/DANS/DM2S/SEMT/EMSI Bâtiment 603 [email protected] Centre de Saclay 91191 Gif/Yvette
55 NEA/CSNI/R(2014)9
GERMANY Heiko Kollasko Telephone No: +49 9131 900 99942 AREVA GmbH E-mail Address: [email protected] Henri-Dunant-Strasse 50 91058 Erlangen
Matias Krauß Telephone No: +4930183331540 Bundesamt für Strahlenschutz, Safety Assessment E-mail Address: [email protected] Willy-Brandt-Straße 5 D-38226 Salzgitter
Maxi Mummert Telephone No: +496023911519 E- Nukem Technologies GmbH mail Address: Industriestrasse 13 [email protected]
Silvio Sperbeck Telephone No: +493088589167 Gesellschaft für Anlagen-und Reaktorischerheit E-mail Address: [email protected] (GRS) mbH Kurfürstendamm 200 10719 Berlin
Michael Türschmann Telephone No: +49(30)88589132 GRS mbH E-mail Address: Kurfürstendamm 200 [email protected] 10719 Berlin
Ralf Wohlstein Telephone No: +49114394488 EON E-mail Address: Tresckowstrasse 5 [email protected] 30457 Hannover
HUNGARY Attila Bareith Telephone No: +36 1 392 2716 NUBIKI Nuclear Safety Research Institute E-mail Address: [email protected] Konkoly-Thege Miklos ut 29-33 H-1121 Budapest
Mr Zoltán Vida Telephone No: +36 75 508978 MVM Paks NPP E-mail Address: [email protected] P.O.B. 71, Lot No: 8803/15 H-7031 Paks
Tamas Siklossy Telephone No: +36 1 392 2222 ext. 2113 NUBIKI E-mail Address: [email protected] Konkoly-Thege M. ut 29-33. Budapest
56 NEA/CSNI/R(2014)9
CHINA Gong Yu Telephone No: +0086 10 82205816 Nuclear and Radiation Safety Center of the E-mail Address: [email protected]
Ministry of Environmental Protection The Xizhimen North Street, Shougang International Building 16F
CHINESE TAIPEI Jyh-Der LIN Telephone No: +886-3-4711400 ext 6075 E- INER mail Address: [email protected] 1000 Wenhua Road, Longtan Township Tao Yuan, Taiwan
Yu-Ting LIN Telephone No: +886-3-4711400 ext 6133 E- INER mail Address: [email protected] 1000 Wenhua Road, Longtan Township Tao Yuan, Taiwan
Chung-Kung LO Telephone No: +886 3-4711400 ext 6075 INER E-mail Address: [email protected] 1000 Wenhua Road, Longtan Township Tao Yuan, Taiwan
NETHERLANDS E.W. Boxman Telephone No: +31 70 456 2367 Inspectorate of the Ministry of Infrastructure and E-mail Address: [email protected] Environment Nieuwe Uitleg 1 (int. 560) 2514 BP Den Haag
J. L. Brinkman Telephone No: +31 (0)26 356 8553 NRG Arnhem E-mail Address: [email protected] Utrechtseweg 310, P.O.Box 9034 Arnhem
ITALY Luciano Burgazzi Telephone No: +39 0516098556 ENEA E-mail Address: [email protected] Via Martiri di Monte Sole,4 40129 Bologna
Laura Frisoni Telephone No: +39 0683059865 ENEL E-mail Address: [email protected] Via Mantova 24 00198 Roma
57 NEA/CSNI/R(2014)9
JAPAN Keisuke Kondo Telephone No: +81(3)4511-1712 Incorporated Administrative Agency Japan Nuclear E-mail Address: [email protected] Energy Safety Organization Toranomon Tower Office, 4-1-28 Toranomon, Minato-ku Tokyo
Masahide Nishio Telephone No: +81(3)4511-1707 Japan Nuclear Energy Safety Organization (JNES) E-mail Address: [email protected] 4-1-28 Toranomon, Minato-ku Tokyo
KOREA (REPUBLIC OF) In-Kil CHOI Telephone No: +82-42-868-2056 Korea Atomic Energy Research Institute E-mail Address: [email protected] P.O. Box 105, Yuseong, Daejeon, 305-600
SLOVAK REPUBLIC Jozef Rybár Telephone No: +421258221176 Nuclear Regulatory Authority of the Slovak E-mail Address: [email protected] Republic Bajkalská 27 820 07 Bratislava
SPAIN Vázquez, Mª Teresa Telephone No: + 34 91 346 02 60 Nuclear Safety Council E-mail Address: [email protected] C/ Pedro Justo Dorado Delmans, 11 28040 Madrid
SWEDEN Frida Olofsson Telephone No: +46 8-799 40 30 Strålsäkerhetsmyndigheten E-mail Address: [email protected] Strålsäkerhetsmyndigheten 171 16 Stockholm
SWITZERLAND Roland Beutler Telephone No: +41-56-460-85-49 Swiss Federal Nuclear Inspectorate, ENSI E-mail Address: [email protected] Industriestrasse 19 CH-5200 Brugg
Telephone No: +41 62 288 20 76 Thomas Kozlik E-mail Address: [email protected] NPP Goesgen-Daeniken AG Kraftwerkstrasse 4658 Daeniken
58 NEA/CSNI/R(2014)9
UAE Farouk Eltawila Telephone No: +971 2 651 6610 Federal Authority for Nuclear Regulation E-mail Address: [email protected] P.O. Box 112021 Abu Dhabi
UNITED KINGDOM Peter Ford Telephone No: +207 556 3578 Health and Safety Executive 0151 951 5733 Redgrave Court, Merton Road E-mail Address: [email protected] Bootle, L20 7HS
Graham Simpson Telephone No: +207 556 3578 Health and Safety Executive E-mail Address: Rose Court 2 Southwark Bridge [email protected] London SE1 9HS
UNITED STATES OF AMERICA Selim Sancaktar Telephone No: +301-251-7572 U.S. Nuclear Regulatory Commission E-mail Address: [email protected] Washington, DC 20555-0001
Nathan Siu Telephone No: +13012517583 US Nuclear Regulatory Commission E-mail Address: [email protected] MS CSB 4.A07M Washington, DC 20555
INTERNATIONAL ORGANISATIONS Abdallah Amri Telephone No: +33145241054 OECD/NEA E-mail Address: [email protected] Nuclear Safety Division 12Bd des Iles FR-92130 Issy-les-Moulineaux
Ovidio Coman Telephone No: +431260026068 International Atomic Energy Agency E-mail Address: [email protected] P.O.Box 200 Vienna 1400
Kenta Hibino Telephone No: +43 2600 25559 International Atomic Energy Agency E-mail Address:[email protected] Vienna International Centre, Wagramerstrasse 5 A-1400, Vienna
Henri Paillere Telephone No: +33145241067 OECD Nuclear Energy Agency E-mail Address: [email protected] Le Seine St Germain, 12 boulevard des Iles, 92130 Issy les Moulineaux
59 NEA/CSNI/R(2014)9
60 NEA/CSNI/R(2014)9
WORKSHOP AGENDA
61 NEA/CSNI/R(2014)9
Workshop Programme Meeting rooms Brussels 3,4
Monday June 17, 2013 Registration 8:00 – 9:00
Opening session Chair: Milan Patrik (UJV Rez, Czech Republic) Co-Chair: Abdallah Amri (OECD/NEA, France)
9:00 Opening address & Welcome address Opening remarks, Objectives of the workshop
Nathan Siu (NRC, USA): Overview Notes: Workshop on Probabilistic Flood Hazard Assessment (PFHA) and PSAM Topical Conference in light of the Fukushima Dai-ichi Accident
Kenta Hibino (IAEA, Austria): Safety Assessment of Multiunit NPP Sites Subject to External Events
Jozef Misak (UJV Rez, Czech Republic): Lessons Learned from EU Stress Tests Evaluations with regard to External Hazards
10:30 End of opening session & Coffee break
Session 1: Analysis of external hazards potential
Chair: Jorma Sandberg (STUK, Finland)
11:00 Luciano Burgazzi (ENEA, Italy): Implementation of PSA models to estimate the probabilities associated with external event combination
Juho Helander (FENNOVOIMA, Finland): External hazard identification, screening and studies for a new plant site
Ladislav Pecinka (UJV Rez, Czech Republic): Seismic hazard assessment for NPPs in Czech Republic
Heiko Kollasko (AREVA, Germany): Probabilistic analysis of external events with focus on the Fukushima event
12:40 End of Session 1 & Lunch
62 NEA/CSNI/R(2014)9
Session 2: Specific features of analysis and modeling of particular natural external hazards
Chair: Jeanne-Marie Lanore (IRSN, France) Jaroslav Holy (UJV Rez, Czech Republic): Estimation of frequency of occurrence 14:00 of extreme natural external events of very high intensity on the base of (non)available data
Lasse Tunturivuori (TVO, Finland): External hazards in the PRA of Olkiluoto 1 and 2 NPP units - accidental oil spills
In-Kil Choi (KAERI, Korea): Current status and issues of external event PSA for extreme natural hazards after Fukushima accident
J. L. Brinkman (NRG, Netherlands): Realistic modeling of external flooding scenarios
15:40 End of Session 2 & Coffee break
Facilitated discussion 1: Where do we stand in risk analysis of external events?
Chair: Jaroslav Holy (UJV Rez, Czech Republic)
The discussion can address the following topics: 16:10 --- Treatment of multiunit effects of external events (including effects on onsite spent fuel and waste storage facilities) --- Specific problems of vulnerability and fragility analysis --- Analysis of both local and broad effects of external hazards including long term loss of the electrical grid and the final heat sink --- Addressing specific features of plant operation regimes in analysis and modeling --- Human factors in plant response to external events --- Approaches to extended duration scenarios involving external events (including events involving a stabilized but damage plant)
--- Modeling of plant response to the events caused by combined external hazards
17:30 End of Day 1
19:30-22:00 Dinner
63 NEA/CSNI/R(2014)9
Tuesday June 18, 2013
Session 3: Practices and research efforts on natural external events PSA
Chair: Kondo Keisuke (JNES, Japan)
9:00 Nathan Siu (NRC, USA): Consideration of external hazards and multi-source interactions in the USNRC’s site level 3 PSA project
Silvio Sperbeck (GRS, Germany): Recent research on natural hazards PSA in Germany and future needs
Patricia Dupuy (IRSN, France): Treatment of the loss of ultimate heat sink initiating events in the IRSN PSA
Hari Prasad Muruva (BARC, India): Modeling of Seismically Induced Multiple Rare Events in PSA of Indian NPPs
Gabriel Georgescu (IRSN, France): PSA modeling of long-term accident sequences
11:00 End of Session 3 & Coffee break
Session 4: Modeling of NPP response to natural external events in PSA
Chair: Gabriel Georgescu (IRSN, France)
Tamas Siklossy (NUBIKI, Hungary): External Events PSA for the Paks NPP 11:20 Thomas Kozlik (KKG, Switzerland): Treatment of external events in the linked event tree methodology – NPP Goesgen-Daeniken example
Tiia Puukka (TVO, Finland): The probabilistic risk analysis of external hazards of an interim storage for spent nuclear fuel in Olkiluoto
Milan Jaros (UJV Rez, Czech Republic): External events analysis in PSA studies for Czech NPPs
13:00 End of Session 4 & Lunch
Session 5: Seismic risk analysis
Chair: Attila Bareith (NUBIKI, Hungary)
14:00 Catherine Berge Thierry (CEA, France): Seismic hazard assessment and uncertainties treatment: discussion on the current French regulation, practices and
64 NEA/CSNI/R(2014)9
open issues.
Kondo Keisuke (JNES, Japan): Level-1 seismic probabilistic risk analysis for a PWR plant
Masahide Nishio (JNES, Japan): Seismic PRA of a BWR plant
Maxi Mummert (NUKEM, Germany): Optimization of safety and seismic classification during the design stage of non-reactor nuclear facilities
Ovidiu Coman (IAEA, Austria): Implementation Guidelines for Seismic PSA
16:00 End of Session 5 & Coffee break
Facilitated discussion 2: Findings and good practices for external events analysis
Chair: Nathan Siu (NRC, USA)
The discussion can address the following topics: 16:30 --- Applications of external events PSA methods and models in regulatory oversight.
--- Use of external events PSA in risk informed safety management by the licensees and other non-regulatory applications for external events PSA --- Evaluation of the effectiveness of measures to be taken in anticipation of gradually developing external hazards --- Level 2 PSA aspects of external events risk analysis including evaluation of accident management measures in case of external events
--- Treatment of uncertainties and sensitivity analysis in PSA for external events.
17:45 End of Day 2
65 NEA/CSNI/R(2014)9
Wednesday June 19, 2013
Session 6: Use of external events PSA with the focus on regulatory body role Chair: Ulla Vuorio (STUK, Finland)
9:00 Matias Krauss (BFS, Germany): Current regulatory developments concerning the implementation of probabilistic safety analyzes for external hazards in Germany.
Selim Sancaktar (NRC, USA): Incorporation of all hazard categories into U.S. NRC PRA models
Michael Xu (CNSC, Canada): PSA approach for evaluation of external hazards as part of CNSC Fukushima action items
Kondo Keisuke (JNES, Japan): Strategies towards enterprising development and application of external events PRA standards in JAPAN
Jorma Sandberg (STUK, Finland): The role of external events PSA in the Finnish regulatory approach
11:00 End of Session 6 & Coffee break
Final Session
Chair: Milan Patrik (UJV Rez, Czech Republic)
Co-Chair: Abdallah Amri (OECD/NEA, France)
11:30 All session chairmen: Session summaries (approximately 10 minutes each) Workshop summary and concluding remarks
12:45 Closing of the workshop
Lunch
66 NEA/CSNI/R(2014)9
PAPERS/PRESENTATIONS
67 NEA/CSNI/R(2014)9
68 NEA/CSNI/R(2014)9
OPENING SESSION
Chair: Milan Patrik Co-Chair: Abdallah Amri
J. Misak LESSONS LEARNED FROM EU STRESS TESTS EVALUATIONS WITH REGARD TO EXTERNAL HAZARDS
S. Samaddar, K. Hibino and O. Coman SAFETY ASSESSMENT OF MULTIUNIT NPP SITESSUBJECT TO EXTERNAL EVENTS
N. Siu NOTES AND MEETING OVERVIEWS ON PSAM 2013&PROBABILISTIC FLOOD HAZARD ASSESSMENT WORKSHOP
69 NEA/CSNI/R(2014)9
70 NEA/CSNI/R(2014)9
71 NEA/CSNI/R(2014)9
72 NEA/CSNI/R(2014)9
73 NEA/CSNI/R(2014)9
74 NEA/CSNI/R(2014)9
75 NEA/CSNI/R(2014)9
76 NEA/CSNI/R(2014)9
77 NEA/CSNI/R(2014)9
78 NEA/CSNI/R(2014)9
79 NEA/CSNI/R(2014)9
80 NEA/CSNI/R(2014)9
81 NEA/CSNI/R(2014)9
82 NEA/CSNI/R(2014)9
83 NEA/CSNI/R(2014)9
84 NEA/CSNI/R(2014)9
85 NEA/CSNI/R(2014)9
86 NEA/CSNI/R(2014)9
87 NEA/CSNI/R(2014)9
88 NEA/CSNI/R(2014)9
SAFETY ASSESSMENT OF MULTIUNIT NPP SITES SUBJECT TO EXTERNAL EVENTS
Sujit Samaddar, Kenta Hibino and Ovidiu Coman International Atomic Energy Agency Vienna International Centre PO Box 200, Vienna 1400, Austria
ABSTRACT:
This paper presents a framework for conducting a probabilistic safety assessment of multiunit sites against external events. The treatment of multiple hazard on a unit, interaction between units, implementation of severe accident measures, human reliability, environmental conditions, metric of risk for both reactor and non-reactor sources, integration of risk and responses and many such important factors need to be addressed within the context of this framework. The framework facilitates the establishment of a comprehensive methodology that can be applied internationally to the peer review of safety assessment of multiunit sites under the impact of multiple external hazards.
KEY WORDS:
External Events PSA, Common Cause Failures, Multiunit Site, Multi Hazards
1. INTRODUCTION
The current energy demands and the difficulties in acquiring public support in establishing new sites for nuclear power plants is a powerful incentive for the nuclear industry towards the utilization of existing sites for the construction of new nuclear reactor units. The incentive is made even more attractive by the availability of many of the infrastructural and administrative resources that can be shared from the use of the same site. Thus for new builds the nuclear industry tends to gravitate towards using the same site, a multiunit site, as this choice is very practical and resource efficient (Ref. 1).
Fig. 1 shows a distribution of the site housing more than three units in the world based on the IAEA’s PRIS database (www.iaea.org/pris). As of 10 March 2013, a ratio of multiunit sites housing more than two units (including operating units, units under construction and long-term suspended units) for all sites is about 81%, and a ratio of multiunit sites housing more than three units is about 32%.
89 NEA/CSNI/R(2014)9
Fig. 1: Multiunit sites housing more than three units in the world (10 March 2013)
This move towards the use of a common site to house multiple reactor units and supporting facilities necessitates the regulatory authorities of the Member States to establish the “safety” of such a site. Safety assessments in the past have used a deterministic and probabilistic approaches considering that a site with multiple installations can be represented by summing up the risk metric of individual units. This simplified approach to establishing site safety had several limitations as it could not represent fully the many varied and complex interactions that would take place during a severe event impacting a multiunit site.
The Niigata-Ken Chuetsu-Oki Earthquake (16 July 2007, Japan) which affected the Kashiwazaki-Kariwa nuclear power station provided a glimpse of how multiple correlated hazards can develop from a single external event (ground motion and fire). A site safety assessment should therefore, be capable of addressing multiple correlated hazards yet the available methodology for site safety assessment currently is addresses one hazard at a time.
The Great East Japan Earthquake (11 March 2011, Japan) generated in severe ground motion causing the safe-shutdown of several reactor units at the Nuclear Power Plants of Onagawa, Fukushima Dai-ichi, Fukushima Dai-ni, Tokai Dai-ni and Higashi Dori. However, the ensuing tsunami at Fukushima Dai-ichi resulted in extreme flooding challenging the safety systems of all the six units, exceeding their capacities, breaching their defense-in-depth measures and eventually leading to severe core damage in three of the units resulting in a large radioactive releases severely restricting the deployment of severe accident management resources already reduced by the simultaneous demand from competing units. Heroic actions were taken to prevent additional release from the spent fuel pools. All entities putting additional demands on the single unit sized severe accident management resource (Ref. 2). All this, was aggravated by the severe loss of plant infrastructure caused by the immense destructive energy of the tsunami wave front.
The Fukushima accident underscores the need for a comprehensive site safety assessment methodology which can address the site safety in a holistic way. The fact that multiple hazard or hazard combinations need to be considered, the interaction between the units (be it from shared system, common cause, or interaction of responses), simple screening out of events based on rarity without consideration of
90 NEA/CSNI/R(2014)9
combinations, the consideration of human reliability, severe accident management practice considering multiunit events, the contribution of release from other no-reactor sources on site and other such issues need to be addressed in a comprehensive framework.
In this framework of site safety assessment, the risk assessment should include sensitivities to determine the extent to which multiunit considerations increase or decrease the risk associated with a specific nuclear installation site. The quantification of such a risk at a site level allows the regulatory body to make risk informed decisions in their role as a regulator and protector of public health and the environment.
The Fukushima accident involving a combination of multiunit and multiple hazards highlighted the need for such a holistic framework for risk assessment of a site which is capable of integrating the risk associated with all sources that can be released from a site. This paper is an effort to bring into focus all the different issues that a generalized framework, for site level risk assessment, need to consider in the formulation of an site safety assessment methodology.
2. FRAMEWORK OF SITE SAFETY ASSESSMENT
The following presents the holistic framework for the risk assessment of a site with multiple units and other co-located installations with nuclear inventory. The framework has at its centre the reactor units and the other co-located nuclear installations which are challenged by the external events, the events cause one or more hazards which may challenge the safety of one or more reactor and non-reactor units on the site, the affected installation respond to the imposed challenges which in turn may or may not affect the installations on site, this interactions between installations continue till severe accident managements measures are brought in to play further interactions continue to occur into the release phase from one or more installations. The risk quantification of this release as a measure of its impact on human and environmental health will provide the final response to the site level safety assessment.
Given this framework as the scope of the risk assessment many issues unaddressed before comes to focus. The treatment of multiple hazard on a unit, interaction between units, implementation of severe accident measures, human reliability, environmental conditions, metric of risk for both reactor and non- reactor sources, integration of risk and responses and many such important factors need to be addressed within the context of this framework.
2.1 Interaction
As illustrated by the Fukushima accident, multiunit accidents involve unique challenges to the structures, systems and components that perform the safety functions at each of the installations and the human and infrastructural resources that support the operation and implementation of severe accident management and offsite protective actions. The same hazard or hazard combination may lead to initiating events and accident sequences in multiple installations concurrently (common cause). An accident at one installation may affect the capabilities and compromise the resources available to support mitigational efforts in another installation. Hence the probability of preventing an accident in one installation cannot be assessed without considering the status of the other installations on the site. Consideration of interaction of structures, systems and components between the different installations, the response of the installation and its interaction with the response in individual installations, human reliability given these interactions and others that will result during the progression of an accident are essential interactions to be included in the holistic framework for site safety assessment.
91 NEA/CSNI/R(2014)9
2.2 Risk Metrics
If there is release from more than one installation during the same accident then the emergency planning and severe accident management will be grossly impacted. Considering the fact that the large levels of radiation exposure will quickly saturate the dose levels of the responders and as a result the concurrent release from more than one reactor unit may exceed the linear sum of the consequence of individual reactors. Given this and the fact the frequency of the release at a multiunit site is related to the number of units on the site, the risk metric of core damage frequency (CDF) and large early release (LERF) is no longer an adequate metric for the risk assessment of multiunit sites. A more general set of risk metrics that would apply to all types of accidents similar to that at Fukushima would be those associated with a Level 3 PSA in which the risk of consequences to public health and safety are fully quantified. Thus a new or modified set of risk metric need to be developed which can rationally quantify the risk associated with multiunit sites involving non-reactor installations.
2.3 Screening
For Fukushima serious questions have been raised on the inability to protect the plant against internal and external hazards. This could to a great extent be contributed to the optimistic screening of hazards and the exclusion of hazards combinations that have a higher potential of occurring than could be supported in developing a “deterministic” design basis. It appears that the frequency of events that would exceed the design basis protection against tsunamis, earthquakes and floods are much more likely than assumed in the original design and licensing. So the screening of hazards for multiunit sites need to be more carefully evaluated than previously practiced. Thus careful screening of hazards is an essential ingredient for the safety assessment of multiunit site against multiple hazards.
2.4 Human reliability
In current PSA models credit is taken for operator recovery actions and accident management for the recovery of the plant from a degraded state or core damage condition. As demonstrated in the Fukushima accident these activities can be severely restricted by releases at other installations. The human reliability analysis for single units does not take such a scenario into consideration. For multiunit site the human reliability analysis needs to account for condition where the site is contaminated with radioactive material and accident management action need to be executed in this environment, adding another level of complexity to the safety assessment of multiunit sites.
2.5 Infrastructure
For sever accident management it is usually anticipated that the infrastructure of the site is unaffected by the demands made by the hazard. The toil on the infrastructure during the Fukushima accident was significant and many of the resources that would have played a role in the mitigational actions during the severe accident management were render unusable by the tsunami. In response to this, the industry has undertaken actions to deploy additional resources that can be quickly bought into play to offset damaged infrastructure. In the site safety assessment the role and sequence of such deployment of alternate resources need to be included in establishing a reasonable quantification of the risk profile for the site.
3. SUMMARY
In summary, it can be said that the site safety assessment for a multiunit site will be quite complex and need to start with individual unit risk assessments, these need to be combined considering the interactions between units and their responses, and the fragilities of the installations established considering the
92 NEA/CSNI/R(2014)9
combined demands from all interactions. Using newly established risk metric the risk can then be integrated for the overall site. Fig. 2 shows schematically such a proposal. Much work has to done and the IAEA has established a working group that is systematically establishing the structure and process to incorporate the many issues that are a part of a multiunit site safety assessment.
93 NEA/CSNI/R(2014)9
Fig. 2: Framework for Probabilistic Safety Assessment of Multiunit Sites against External Events
94 NEA/CSNI/R(2014)9
REFERENCES
1. ANS Special Committee on Fukushima Daiichi, (2012), "Fukushima Daiichi: ANS Special Committee Report", LaGrange Park, IL, USA 2. United States Nuclear Regulatory Commission, Recommendations for Enhancing Reactor safety in the 21st Century, The Near-Term Task Force, Review of insights from the Fukushima Dai-ichi Accident, USNRC. Washington DC (July 2012)
95 NEA/CSNI/R(2014)9
96 NEA/CSNI/R(2014)9
97 NEA/CSNI/R(2014)9
98 NEA/CSNI/R(2014)9
99 NEA/CSNI/R(2014)9
100 NEA/CSNI/R(2014)9
101 NEA/CSNI/R(2014)9
102 NEA/CSNI/R(2014)9
103 NEA/CSNI/R(2014)9
104 NEA/CSNI/R(2014)9
SESSION 1
ANALYSIS OF EXTERNAL HAZARDS POTENTIAL
Chair: Jorma Sandberg L. Burgazzi IMPLEMENTATION OF PSA MODELS TO ESTIMATE THE PROBABILITIES ASSOCIATED WITH EXTERNAL EVENT COMBINATION
J. Hellander IDENTIFICATION AND SCREENING OF HAZARDS FOR THE EXTERNAL EVENT PRA
K. Demjancukova, L. Pecinka SEISMIC HAZARD ASSESSMENT FOR NPPs IN CZECH REPUBLIC
H. Kollasko, M. Jockenhövel-Barttfelda, U. Klappa PROBABILISTIC ANALYSIS OF EXTERNAL EVENTS WITH FOCUS ON THE FUKUSHIMA EVENT
105 NEA/CSNI/R(2014)9
106 NEA/CSNI/R(2014)9
Implementation of PSA models to estimate the probabilities associated with external event combination
Luciano Burgazzi
ENEA, Italian National Agency for New Technologies, Energy and Sustainable Economic Development Via Martiri di Monte Sole 4, 40129 Bologna, Italy tel. +39 051 6098556, fax +39 051 6098279
e mail: [email protected]
Abstract
This note endeavors to address some significant issues revealed by the Fukushima accident in Japan in 2011, such as the analysis of various dependency aspects arisen in the light of the external event PSA framework, as the treatment of the correlated hazards. To this aim some foundational notions to implement the PSA models related to specific aspects, like the external hazard combination, e.g., earthquake and tsunami as at the Fukushima accident, and the external hazard-caused internal events, e.g., seismic induced fire, are proposed and discussed to be incorporated within the risk assessment structure.
1. Introduction
The Fukushima accident of Japan in 2011 has discovered various gaps related to the current PSA approach usage for plant risk assessment. This makes some issues to be re-considered and/or improved in the PSA application and state of practice: these include, for instance, PSA for extreme external events, site-wide risks, extended accident scenarios implying consideration for prolonged mission times. While these issues are suitable be classified into the class relative to the incompleteness of PSA, another important category relates to the identification of the dependencies between the hazards and their modeling within the PSA framework. To this aim some foundational notions to implement the PSA models related to the external hazard combination, e.g., earthquake and tsunami as at the Fukushima accident, and the external hazard-caused internal events, e.g., seismic induced fire, are proposed and discussed to be incorporated within the risk assessment structure.
2. Correlation between hazards
As mentioned earlier, the requirement to consider correlated hazards is emphasized by the Fukushima accident, as regards the combination of extreme hazards and the hazard-induced initiating events. In order to foster the importance of this aspects the simplifying assumptions of independence have to be avoided and
107 NEA/CSNI/R(2014)9
implemented with appropriate models suitable to describe the correlation mechanisms, in terms of Common Cause Initiating Events (CCIE), such as:
• seismic hazard and tsunami, as events sharing the same source of origin
• strong winds and heavy rain, as phenomenological correlated events
• seismic hazards and seismically induced fire, as induced hazards
The present analysis is not site-specific, but aimed at a sort of “technology neutral framework”, acknowledging the fact that the frequency assessment of correlated hazards should take into account all the available information (i.e. site-specific, regional, worldwide), as well as all correlations and uncertainties.
3. Combination of hazards approach
The easiest and “uncomplicated” way to assess the frequency of two or more external events occurring simultaneously would be to consider them as independent events, so that the overall frequency would be quite straightforward as the product of the single frequencies. But actually the problem is more complicated, especially when dependency between the events cannot be ignored in the frequency assessment of the initiating event. In fact, further analysis, as shown in the previous section, reveals that the single frequencies, actually, are not suitable to be chosen independently of each other, mainly because of the expected synergism between the different events under investigation: these synergistic effects trigger an accident sequence with the potential to challenge the system safety and performance at a more severe degree and extent than it would be if the single event were to be considered. This conclusion allows the implementation of the initiating event quantification, by properly capturing the interaction between the single frequencies characteristics of the various events. One approach to address the case of dependent external events is to is to estimate the joint p.d.f. (probability density function) of the frequencies, and then estimate the frequency based on the estimated joint p.d.f..
Consider a simple case characterized by two events. Let’s denote x1 and x2 the relative frequencies with
distributions f(x1) and f(x2): if the events are dependent the following relationship holds:
f(x1, x2) ≠ f(x1)*f(x2) (1)
where the left term denotes the frequency of the combined events to be assessed, in the form of the joint p.d.f.
of the single frequencies.
This expression extended to a number n of external events becomes:
f(x1, x2, …,xn) ≠ f(x1)* f(x2)*…*f(xn) (2)
108 NEA/CSNI/R(2014)9
For instance, in case of induced hazards as formerly defined, the application of the conditional probability concept implies the consideration for the dependencies between the events: this concerns essentially the assumption of dependency between the marginal distributions, to construct the joint probability distribution of the frequencies relative to the conditioning event and the conditioned event. Therefore, in particular, in this work the concept of conditional probability is applied to determine the conditional density estimate. At first we’ll recall some definitions and characteristics of the conditional density function.
The conditional probability for events A and B (conditional probability of A occurring given that B occurs) is given by: P( AB ) P( A / B ) = (3) P( B )
if P(F)>0
The expression for the conditional probability density function is
f ( x, y ) f ( y / x ) = (4) fx( x )
defined for x = fx( x ) > 0
where f(x,y)> 0 is the joint density function of the variables x and y
where the marginal density fx of x satisfies
∞ (5) fx( x ) = f ( x,y )dy ∫−∞
Then the conditional probability of y given x, is
Y F( y / x ) = P( y < Y / x = X ) = f ( y / x )dy (6) ∫−∞
In the following, the normal distribution is considered for its relative simplicity and familiarity to engineers. It represents a good approximation in case the standard deviation is small as compared to the mean value.
f(x) = (1/σ 2 π )exp – ((x-μ)2/2σ2) (7)
The values of the cumulative distribution function are derived from the tables of the standard normal distribution N(0,1),
109 NEA/CSNI/R(2014)9
f(t) = (1/ 2 π )exp –(t2/2) (8)
after the transformation t=(x-μ)/σ
4. Illustrative example
As an illustrative example, table 1 shows the parameters of interest of the normal distributions, with reference to the case of the combination of two events (such as the earthquake and tsunami or strong wind and heavy rain).
Table 1 Normal pdf characteristics Parameter Range(a-b, 1/year) Characteristics (1/year)
x1 3-7 E-01 μ = 5.0E-1
σ = 1.0E-1
x2 2-6 E-01 μ = 4.0E-1
σ = 1.0E-1
It’s worth noticing that the ranges defined by two standard deviations roughly cover the 95% confidence interval, considering that the two-sided 95% confidence interval lies at + 1.96 standard deviations from the mean value. The joint p.d.f. of two normally distributed variables x and y, is given by the bivariate normal distribution expression:
2 1/2 2 f(x,y) = 1/[2πσ1σ2 (1-ρ ) ] exp – [s/(2 (1-ρ ))] (9)
Where
2 2 2 2 s = (x- μx) / σx – [2 ρ(x- μx) (y- μy)]/ (σx σy) + (y- μy) / σy (10)
The expression for the bivariate normal density function in the standard form is:
f(x,y) = (1/2π(1-ρ2)1/2) exp –( (x2 + y2 -2ρxy)/2(1-ρ2)) (11)
with Pearson’s product moment correlation coefficient ρ
ρ = σ12/(σ1 σ2) (12)
110 NEA/CSNI/R(2014)9
A bivariate normal distribution is specified by setting an average matrix μ = (μ1, μ2), and a variance-
covariance matrix Σ = (σij) with σ11 = Var (x), σ22 = Var (y) and σ12 = σ21 = COV(x,y), respectively as
2 μ1 σ 1 σ12 and [ μ ] [ 2 ] 2 σ21 σ2
Note that Σ is a symmetric positive matrix.
In the present case let’s assume a correlation coefficient equal to 0.9, since the variables seem to be highly correlated: from (12) this is equivalent to a covariance value of 14.4. Thus the matrixes defined above assume the form of
μ1 5* 2 = σ σ 1* 0,9** [ ] [ ] and 1 12 = μ2 4** σ 2 [ σ 2 ] [ 0,9** 1* ] * read as 5.0E-1 *read as21 1.0E-2 ** read as 4.0E-1 **read as 0.9E-2
However the evaluation of these quantities through expressions (9) and (11) requires numerical integration techniques. Thus an other approach is followed if one takes into account the conditional distribution of y given that x =
X. This is represented by another normal distribution:
2 2 f(y/x=X) = Nor (μy + ρ(σy/σx)(x- μx), σ y(1- ρ )) (13)
With the correspondences x1=y and x2=x we can construct the joint probability mass function of the two variables. From the normal distribution parameters, one can determine the probability given that the variable x will fall in a given range. For example let’s evaluate the probability value of the combined external events frequency (1/year), conditional on one single external event assuming a certain frequency value (e.g. x=4,1*10-1/year). This point is illustrated in figure 1 below, which refers to parameter values reported in table 1, so that the expected values E and variance Var of the normal pdf are respectively:
E (y/x= 4,1*10-1/year) = 5,09E-1/year Var (y/x= 4,1*10-1/year) = 0,019E-1/year
The relative p.d.f. in the form f(y/x=4,1*10-1/year) = Nor (5,09*10-1/year, 0,019*10-1/year) is represented in figure 1.
111 NEA/CSNI/R(2014)9
Normal distribution (Prob. density) (The horizontal scale is determined by the parametric values)
25
20
15
10
5
0 5,02 5,04 5,06 5,08 5,1 5,12 5,14 5,16
Prob. density Mean value Selected probability
Figure 1 conditional probability density function of events
The probability of the occurrence of both events, with frequency of, for instance, 5.1*10-1/year and 4,1*10- 1/year respectively, is
P(y<5,1 *10-1/x=4,1*10-1) = Φ(0,53) = 0.7, as represented in the highlighted area of the figure below.
The previous analysis holds particularly as regards the case of induced accidents, where the probability of occurrence of an event is conditional upon the occurrence of another event. This analysis may be extended to include more external events, by adopting multivariate normal distributions: obviously this adds a significant burden to the study. It’s worth noticing that this mathematical approach finds application, as well, as regards the development of the whole probabilistic safety analysis process, since models for PSA for external events typically consider a number of potential events that may challenge plant safety such as loss of AC power necessary to operate critical equipment and/or loss of capability to cool the nuclear reactor core. As the characteristics of events that may challenge plant safety are identified, the capacity of the safety systems designed to protect critical functions is evaluated for the conditional probability of failure, thus resulting in an overall measure of the available protection with respect to the likelihood of the intervening event.
112 NEA/CSNI/R(2014)9
Normal distribution (Prob. density) (The horizontal scale is determined by the parametric values)
25
20
15
10
5
0 5,02 5,04 5,06 5,08 5,1 5,12 5,14 5,16
-5
Prob. density Mean value Selected probability
Figure 2 conditional probability of events
Results are based and conditional upon the assumed distributions and the assumptions coming from a “rough” engineering investigation, without resorting to site-specific data bases for statistical inference, retaining the level of generality of the analysis, as formerly underlined.
5. Conclusions
Risk assessment of external hazards is required and utilized as an integrated part of PRA for operating and new reactor units. In the light of the Fukushima accident, of special interest are correlated events, whose modelling is proposed in the present study, in the form of some theoretical concepts, which lay the foundations for the PSA framework implementation. An applicative example is presented for illustrative purposes, since the analysis is carried out on the basis of generic numerical values assigned to an oversimplified model and results are achieved without any baseline comparison. Obviously the first step aimed at the process endorsement is the analysis of all available information in order to determine the level of applicability of the observed specific plant site events to the envisaged model and the statistical correlation analysis for event occurrence data that can be used as part of this process. Despite these drawbacks that actually do not qualify the achieved results, the present work represents an exploratory study aimed at resolving current open issues to be resolved in the PSA, like topics related to
113 NEA/CSNI/R(2014)9
unanticipated scenarios: the combined external hazards of the earthquake and tsunami in Fukushima, external hazards causing internal events, such as seismic induced fire. These topics are to be resolved among the other ones as emerging from the Fukushima accident, in order to endorse and make more effective the risk assessment process.
8 114 NEA/CSNI/R(2014)9
Nuclear Safety and Technology 1 (8) Juho Helander 2013-05-24 Public
External hazard identification, screening and studies for a new plant site
Juho Helander Fennovoima Oy, Helsinki, Finland
Abstract Fennovoima is constructing a new nuclear power plant on a greenfield site in Northern Finland. Various evaluations for site-specific hazards are needed to ensure sufficient plant design basis values, proper design solutions and to provide input for the PRA model.
This paper presents the general process used in identifying the relevant site-specific external hazards. The applicable legislative requirements, guides and standards regarding external hazards and external event PRA shall be identified. Based on these, an initial comprehensive list of events should be compiled.
The initial list shall be filtered to exclude irrelevant events. Events can be screened out if the probability is very low or if the consequences are only mild. Events with similar consequences should be combined. Events can be grouped in several ways, and in this paper the risks are categorized into events related to air, water bodies, ground and human behaviour. In addition, the simultaneously occurring combinations of events should be identified.
The paper also summarizes some hazard studies already performed and required in the future in Fennovoima's project. A comprehensive study is ongoing related to earthquake risks. The study aims at identifying all relevant seismic sources and taking into account various expert opinions in seismic modelling. Also frazil ice and anchor ice studies are being performed to eliminate the risk of cooling water intake blockage due to ice. In addition, some other study areas are mentioned.
Contents 1 INTRODUCTION ...... 2 2 GUIDES AND STANDARDS ...... 2 2.1 Finnish YVL guides ...... 2 2.2 International guides and standards ...... 2 3 EVENT IDENTIFICATION AND SCREENING ...... 3 3.1 The process description ...... 3 3.2 Event screening ...... 4 3.3 Event combinations ...... 5 4 EVENT STUDIES ...... 6 4.1 Studies in different project phases ...... 6 4.2 Earthquake studies ...... 7 4.3 Frazil ice studies ...... 8 4.4 Other studies ...... 8 5 SUMMARY AND CONCLUSIONS ...... 8
Fennovoima Oy | fennovoima.fi | +358 20 757 9200 | Salmisaarenaukio 1, FI-00180 Helsinki, Finland | Business ID 2125678-5
115 NEA/CSNI/R(2014)9 2 (8)
2013-05-24 Nuclear Safety and Technology Public Juho Helander
1 INTRODUCTION
Fennovoima is planning to construct a nuclear power plant (FH-1) in a greenfield site in Pyhäjoki, Hanhikivi in Northern Finland. The positive political decision (Decision-in-Principle) related to the plant project was received in 2010, and the site was selected in 2012. The next step in the project is the submittal of the construction license application to the Ministry of Employment and Economy (MEE) by June 2015. Together with the application, also the design- phase PRA shall be submitted to the Finnish Radiation and Nuclear Safety Authority (STUK).
Fennovoima's plant options include Toshiba's EU-ABWR (1600 MW electric output) and Rosatom's AES-2006 (1200 MW). Direct negotiations are ongoing with both plant suppliers and the selection will be made during the year 2013.
This paper discusses the process used in creating a list of relevant events requiring further studies. The aim is to identify the hazards to be modelled as initiating events in the PRA model.
In Section 2, some applicable guides and standards are presented. Section 3 presents the process for identifying and screening events. Section 4 discusses some specific studies related to the Hanhikivi site, specifically related to earthquakes and frazil ice. Section 5 presents a summary and conclusions.
2 GUIDES AND STANDARDS
2.1 Finnish YVL guides
External hazards have been discussed in the Finnish regulatory guides (YVL guides). Guide A.2 (site selection) mentions some events that shall be taken into account in site selection. Guide A.7 (PRA) requires that also relevant external events shall be included in the PRA model. However, the guide does not explicitly mention the events to be included. Guide B.7 (internal an external threats) gives quite a comprehensive list on external events to be considered in the plant design. It also states that the adequacy of the design basis values related to earthquakes and other external events shall be demonstrated by using PRA.
The YVL guides also state that when possible, a hazard curve shall be evaluated. This requires that the event strength can be measured by using a scale, and that there is a measured time series available. Occurrence times longer than the observation period can be evaluated by fitting an extreme distribution and using extrapolation. The hazard curve uncertainties shall be assessed by evaluating hazard curves also for locations surrounding the site.
The anticipated changes in event occurrences and strengths due to climate change shall be assessed and taken into account. For example, the climate change causes the mean sea water level to rise, but on the other hand, land upheaval causes the mean level to lower.
Also the dependencies between different events shall be considered.
2.2 International guides and standards
There are several guides and standards related to external event PRA and external events in general: NRC. NUREG/CR-230. PRA procedures guide.
116 NEA/CSNI/R(2014)9
Nuclear Safety and Technology 3 (8) Juho Helander 2013-05-24 Public
IAEA. NS-G-1.5. External events excluding earthquakes in the design of nuclear power plants. IAEA. NS-R-3. Site evaluation for nuclear installations. IAEA. NS-G-3.1. External human induced events in site evaluation for nuclear power plants. IAEA. SSG-3. Development and application of level 1 probabilistic safety assessment for nuclear power plants. IAEA. SSG-18. Meteorological and hydrological hazards in site evaluation for nuclear installations. IAEA. SSG-21. Volcanic hazards in site evaluation for nuclear installations. ASME. ASME/ANS RA-S-2008. Standard for level 1 / large early release frequency probabilistic risk assessment for nuclear power plant applications. NEA. NEA/CSNI/R(2009)4. Probabilistic safety analysis (PSA) of other external events than earthquake. SKI. SKI report 02:27. Guidance for external events analysis.
There are also standards related specifically to seismic hazards: IAEA Safety guide. NS-G-1.6. Seismic design and qualification for nuclear power plants. IAEA Safety guide. NS-G-2.13. Evaluation of seismic safety for existing nuclear installations. IAEA Specific safety guide. SSG-9. Seismic hazards in site evaluation for nuclear installations.
3 EVENT IDENTIFICATION AND SCREENING
3.1 The process description
The process used in identifying the relevant external events to be modelled in the PRA is presented in Figure 1.
Figure 1. The process for identifying the relevant events to be modelled in the PRA.
117 NEA/CSNI/R(2014)9 4 (8)
Nuclear Safety and Technology 2013-05-24 Juho Helander Public
The initial event identification should create as comprehensive a list as possible, because also very rare events with serious consequences can have a significant contribution on the total risk of a nuclear power plant.
Events with a low probability should be screened out. A general screening frequency used in many PRA models is 1·10-8 /a. These events have only a very small contribution to the total plant risk regardless of the event consequences.
Events that can only cause small consequences or only have a low potential should be screened out. For some events, the maximum potential can be determined quite accurately. The events included in the PRA model shall exceed the design basis of the plant or a part of the plant or the design basis of the national grid, and they shall lead to significant consequences resulting in reactor scram and plant shutdown.
Certain events require specific conditions or site characteristics (e.g. landslides require steep slopes). Events that cannot occur on the site should be excluded.
Certain events are included in another event. For example, the initiating event related to high sea water level includes all different factors affecting the sea level (wind, seiche, tide, etc.).
After screening out the irrelevant events, the remaining events should be analysed more carefully. These analyses probably lead to screening out of additional events. The remaining initiating events will be considered as external initiating events in the PRA model.
3.2 Event screening
The initial comprehensive list of possible events to be considered when designing and constructing a nuclear power plant is presented in Table 1. This list is applicable to any site in any part of the world.
Table 1. Initial comprehensive list of site-specific events.
118 NEA/CSNI/R(2014)9
Nuclear Safety and Technology 5 (8) Juho Helander 2013-05-24 Public
The initial list of events can be screened by using the screening criteria presented in Figure 1. Some events can be excluded by more than one criterion.
Events that are generally known to have a very low probability near the Hanhikivi site include e.g.: meteorites, surface faulting, tunnel collapses, tsunami, airplane crash, falling satellites or rockets and ship collision.
Events that cannot cause significant consequences include e.g: air pressure, any animals, drought, fog, frost, hail, ground fires, ground frost, ground water level changes, fish and other sea life, sediment transfer and transportation accidents.
Events that are irrelevant to the Hanhikivi site include e.g.: dust and sand storms, avalanches, land slides, volcanoes, dam failures, dangerous substance leaks and explosions and industrial accidents.
Some events are included in other events. For example, the effects of seiche and waves are included in the high sea water level event. The final list of events requiring further analyses is presented in Table 2. These events require further studies to determine the relevant events to be modelled in the PRA. More detailed studies probably lead to screening out of additional events.
Table 2. Screened list of events requiring further studies.
3.3 Event combinations
In addition to single events, combined events occurring simultaneously shall be identified. The identification of combined events should be concentrated on events that are dependent of each other and cause together more serious consequences than a single event.
Most of the events can be assumed independent of each other (e.g. earthquake and strong wind or algae and lightning). In this case, the probability of extreme events occurring simultaneously is extremely small and can be screened out from the PRA model.
An important aspect in identifying the event combinations is the evaluation of event probabilities during different times of the year. The monthly frequencies of different events should be assessed.
The relevant combinations of initiating events shall be systematically identified after the single events have been identified and their frequencies assessed. Strong wind is a relevant event
119 NEA/CSNI/R(2014)9 6 (8)
2013-05-24 Nuclear Safety and Technology Public Juho Helander
because a storm resulting in loss of offsite power is a relatively general event and it could occur simultaneously with many other events (snow storm, algae, frazil ice, high sea water level).
4 EVENT STUDIES
4.1 Studies in different project phases
External hazard studies have been started at an early phase in Fennovoima's plant project. The figure 2 illustrates some important milestones during which hazard studies are required. In the beginning, quite general evaluations are performed, but later the level of detail should increase.
Figure 2. Important phases in a nuclear power plant project requiring external hazard studies.
Already for the Decision-in-Principle application (related to the political decision), a general description of relevant events is required to assure that the selected sites are suitable.
In 2010, Fennovoima still had two different site options (Pyhäjoki and Simo). Design basis values were determined for both sites based on studies related to meteorological events, earthquakes and sea water level. Also in site selection, the different external events were taken into account.
In accordance with the construction license application, the design-phase PRA and preliminary safety analysis report (PSAR) shall be compiled. Frequencies for very rare events need to be developed to select the events to be modelled in the PRA and to determine the initiating event frequencies. Information is also needed to compile the PSAR chapter related to plant site. This chapter should give general descriptions on the site conditions, the risks related to different site- specific events and the provisions taken to mitigate any harmful effects.
Together with the operating license application, the final PRA and the final safety analysis report (FSAR) need to be submitted. In the design-phase PRA, some preliminary estimates might be used, and more detailed evaluations might be required for the final PRA. The same applies to PSAR and FSAR.
120 NEA/CSNI/R(2014)9
Nuclear Safety and Technology 7 (8) Juho Helander 2013-05-24 Public
4.2 Earthquake studies
Preliminary earthquake evaluations have been performed for the Hanhikivi site in 2008-2012 to determine the design basis earthquake and seismic design basis value for plant systems, structures and components.
In 2013-2015, a new project is ongoing to reduce the uncertainties of the results obtained in the earlier studies. The project is illustrated in Figure 3.
Figure 3. Description of Fennovoima's seismic study in 2013-2015.
The study employs experts from Finnish and Swedish universities, research organisations and consultants. There is also a separate review group that is not involved in the actual work. The project is divided into consecutive phases. The results and reports of each phase are always reviewed before moving on to the next phase.
The first group studies the seismotectonics and geology of the region. Seismic databases from Finland and Sweden are compiled and harmonised, possible seismic source zones are identified and various seismotectonic models are proposed.
The second group characterizes the seismic source zones by providing the seismic parameters (Gutenberg-Richter equation parameters and maximum magnitudes). Also the suitable GMPE's describing the ground motion attenuation are provided.
In the hazard calculations, a logic tree is used to take into account all relevant opinions by using branches. The branches are weighted according to their estimated probabilities. The logic tree is constructed by the project manager based on the suggestions of groups 1 and 2.
Finally, group 3 calculates the results and conducts some sensitivity analyses. The results are reported according to the ANSI/ANS-2.29-2008 standard, including:
Mean and fractile hazard curves Uniform hazard response spectra and design earthquake response spectrum
121 NEA/CSNI/R(2014)9 8 (8)
2013-05-24 Nuclear Safety and Technology Public Juho Helander
Magnitude-distance deaggregation and seismic source deaggregation Mean magnitude and distance
4.3 Frazil ice studies
The risk related to frazil ice is the possible clogging of the cooling water intake due to large amounts of ice. Actually, two different phenomena can be distinguished: frazil ice and anchor ice.
Frazil ice is formed when water is cooled to the extent that it gets supercooled and ice crystals start to form and grow. Anchor ice, on the other hand, grows on the surfaces of objects in the water.
The main target of the frazil ice studies is the determination of proper design solutions that minimize the intake clogging probability. These include at least recirculation of warmed cooling water, electric heating of the trash screen, proper trash screen dimensions (mesh size and bar diameters) and intake depth. Additionally, the frazil ice or anchor ice occurrence probabilities are estimated, if possible.
The frazil ice studies concentrate on the blocking mechanisms, specification of favourable circumstances for frazil ice occurrence, physical modelling and possibility of frazil ice occurrence at Hanhikivi.
4.4 Other studies
Some other examples of site-specific hazard studies performed for the Hanhikivi site include: Meteorological events: Air temperature, wind, humidity, precipitation, snow load. Meteorological events are also studied in the Finnish nuclear research project SAFIR (Extreme Weather subproject) Sea water level and sea ice effects Probability of an accidental airplane crash Processing, storage and transportation of dangerous substances
5 SUMMARY AND CONCLUSIONS
This paper presented a list of Finnish and international guides and standards useful in evaluating external hazards. Also a methodology was presented to identify and screen site-specific hazards in a new nuclear power plant project. The screened list of relevant events for the Hanhikivi site requiring further studies was presented.
Also the studies needed in different phases of a new nuclear power plant project were discussed. Some specific studies regarding earthquakes and frazil ice were described in detail.
Studying the potential related to different site-specific external hazards is important because they might have a significant risk contribution. This impression is supported, for example, by the events in Fukushima. The plant has to be designed by taking properly into account local and regional conditions. The risk significance of each event should be specified so that most attention can be paid for the most relevant events.
122 NEA/CSNI/R(2014)9
SEISMIC HAZARD ASSESSMENT FOR NPPS IN CZECH REPUBLIC
Katerina DEMJANCUKOVA, UJV Rez, a.s. Ladislav PECINKA, UJV Rez, a.s.
ABSTRACT
Czech Republic is a country with very low seismicity. For the two operated NPPs, the IAEA Safety Guide 50-SG-S1 was applied and the level of peak ground acceleration of 0.1g has been defined. For the new two units planned to be operated in Temelin site, the IAEA Safety Guide SSG-9 has been used for seismic hazard assessment.
KEY WORDS: Seismic hazard, IAEA Safety Guides, peak ground acceleration, Newmark ground response spectra, regional investigations, near regional investigations, site vicinity investigations, site area investigations
1. HISTORY
Czech Republic is a country with very low seismicity. For the two operated NPPs, the IAEA Safety Guide 50-SG-S1 (Rev.1) “Earthquakes and associated topics in relation to nuclear power plant siting” [1] was applied and the level of peak ground acceleration of 0.1 has been defined. The recommendations of IAEA Safety Guide NS-G-3.3 “Evaluation of Seismic Hazards for Nuclear Power Plants” [2] have been taken into consideration. For the NPP Temelin site the following accelerograms have been selected for further analysis
- San Severo, Italy, 23. 11. 1980,
- USA, Western Part, 04. 09. 1955,
- USA, Western Part, 22. 03. 1957,
- USA, Western Part, 22. 09. 1957.
All these accelerograms have been linearly modified to correspond to the peak ground acceleration value of 0.1g in horizontal and vertical directions. The calculated ground response spectra have been enveloped and compared with Newmark ground response spectra according to the methodology presented in NUREG/CR 0098.
For the NPP Dukovany, similar approach has been used and finally the Newmark ground response spectrum has been selected for seismic upgrading.
2. INVESTIGATIONS ACCORDING IAEA SAFETY GUIDE SSG-9
For the new two units planned to be operated on Temelin site, the IAEA Safety Guide SSG-9 “Seismic Hazards in Site Evaluation for Nuclear Installations” [3] will be used. This Guide also addresses what is needed for probabilistic safety assessment conducted for nuclear installations. The key elements of this approach are as follows
123 NEA/CSNI/R(2014)9
- geological, geophysical and geotechnical database,
- construction of regional seismotectonic model,
- evaluation of the ground motion hazard,
- probabilistic seismic hazard analysis.
3. GEOLOGICAL, GEOPHYSICAL AND GEOTECHNICAL DATABASE
Regional investigations: the size of the relevant region may vary, depending on the geological and tectonic setting, and its shape maybe asymmetric in order to include distant significant seismic sources of earthquakes. Its radial extent is typically 300 km. The data are typically presented at a scale of 1:500 000 or larger, and with appropriate cross-sections.
Near regional investigations: the objectives of these studies are to
- define the seismotectonic characteristics of the near region on the basis of a more detailed database than that obtained from the regional study,
- determine the latest movements of faults,
- determine the amount and nature of displacements, rates of activity and evidence related to the segmentation of faults.
The data are typically presented at scale of 1:50 000 and with appropriate cross-sections.
Site vicinity investigations: site vicinity studies should cover a geographical area typically not less than 5 km in radius. Investigations should include geomorphological and geological mapping, geophysical investigations and profiling, boreholes and trenching. As a minimum, the following data sets should be provided
- a geological map with cross-sections,
- age, type, amount and rate of displacement of all the faults in the area,
- identification and characterization of locations potentially exhibiting hazards induced by natural phenomena and by human activities.
Typically, the data are presented in maps at a scale of 1:5000 and with appropriate cross-sections.
Site area investigations: the following investigations of the site area should be performed by using field and laboratory techniques
- geological and geotechnical investigations to define the stratigraphy and the structure of the area,
- hydrogeological investigations using boreholes and other techniques,
- supplemental investigations of site effects. The dynamic behaviour of the site should be assessed, using available macroseismic and instrumental information as guidance.
The data are typically presented on maps at a scale of 1:500 and with appropriate cross-sections.
124 NEA/CSNI/R(2014)9
4. CONSTRUCTION OF REGIONAL SEISMOTECTONIC MODEL
The link between the geological, geotechnical and seismological databases and the calculation of the seismic hazard is a regional seismotectonic model, which should be based on a coherent merging of the databases. Any seismotectonic model should consist, to a greater or lesser extent of two types of seismic sources
- the seismogenic structures that can be identified by using the available database,
- diffuse seismicity that is not attributable to specific structures identified by using the available database.
The identification of seismogenic structures should be made from the geological, geophysical, geotechnical and seismological databases. For seismogenic structures that have been identified as being pertinent to determining the exposure of the site to earthquake hazards, their associated characteristics should be determined.
In the performance of a seismic hazard evaluation, knowledge about the depth distribution of the diffuse seismicity should be incorporated. Estimates of the maximum depth of earthquakes can be made on the basis of the recognized fact that earthquakes originate within or above the brittle to ductile transition zone of the Earth’s crust.
5. EVALUATION OF THE GROUND MOTION HAZARD
The ground motion hazard should preferably be evaluated by using both probabilistic and deterministic methods of seismic hazard analysis. When both deterministic and probabilistic results are obtained, deterministic assessments can be used as a check against probabilistic assessments in terms of the reasonableness of the results, particularly when small annual frequencies of exceedance are considered.
The ground motion as a function of all relevant parameters should be expressed in the form
GM = g(m,r,ci ) + εgm + εc, (1)
where
GM is the median estimate of the ground motion parameter and ground motion component of interest (usually expressed as a logarithm), g(...) is a mathematical function, m is the earthquake magnitude, r is the seismic source to site distance, ci are other relevant parameters, εgm is the aleatory uncertainty, εc is the component to component variability.
The calculated ground motion may express the maximum ground motion or a random component, depending on the project needs. The parameter εc is used when the component to component variability needs to be represented.
125 NEA/CSNI/R(2014)9
6. PROBABILISTIC SEISMIC HAZARD ANALYSIS
The conduct of a probabilistic seismic hazard analysis should include the following steps
- evaluation of the seismotectonic model for the site region in terms of the defined seismic sources, including uncertainty in their boundaries and dimensions,
- for each seismic source, evaluation of the maximum potential magnitude, the rate of earthquake occurrence and the type of magnitude–frequency relationship, together with the uncertainty associated with each evaluation,
- selection of the attenuation relationships for the site region, and assessment of the uncertainty in both the mean and the variability of the ground motion as a function of earthquake magnitude and seismic source to site distance,
- performance of the hazard calculation,
- taking account of the site response.
The expected frequency, per unit time period per seismic area, of earthquakes of a magnitude equal to or greater than mmin of the seismic source i; this may be represented by a Poisson process or a renewal process. The parameters needed for this evaluation are as follows
S is the number of seismic sources, mmin, mmax are the minimum and maximum potential magnitudes of the seismic source i, dmin, dmax are the minimum and maximum earthquake rupture dimensions of the seismic source i, rmin, rmax are the minimum and maximum distances from the seismic source i to the site.
CONCLUSIONS
Czech Republic is a country with a very low seismicity. For the evaluation of seismic hazard of two operated NPPs with VVER type reactors the IAEA Safety Gide 50-SG-S1 “Earthquakes and associated topics in relation to nuclear power plant siting” and the peak ground acceleration value has been established 0.1g.
After Fukushima event the higher level of seismic safety of nuclear power plants is required. The IAEA Safety Guide SSG-9 represents collective knowledge gained from recent significant earthquakes and new approaches in methods of analysis, particularly in the areas of probabilistic seismic hazard analysis and strong motion simulation. From this reason this safety guide will be applied to new two units planed to be built in Temelin site.
REFERENCES
[1] IAEA. Safety Guide 50-SG-S1 (Rev.1). Earthquakes and associated topics in relation to nuclear power plant siting. IAEA, Vienna, 1991.
[2] IAEA. Safety Guide NS-G-3.3. Evaluation of Seismic Hazards for Nuclear Power Plants. IAEA, Vienna, 2002.
[3] IAEA. Specific Safety Guide SSG-9. Seismic Hazards in Site Evaluation for Nuclear Installations. IAEA, Vienna, 2010.
126 NEA/CSNI/R(2014)9
PROBABILISTIC ANALYSIS OF EXTERNAL EVENTS WITH FOCUS ON THE FUKUSHIMA EVENT
a a a Heiko Kollasko , Dr. Mariana Jockenhövel-Barttfeld , Dr. Ulrich Klapp aAREVA NP GmbH, Erlangen, Germany
Abstract:
External hazards are those natural or man-made hazards to a site and facilities that are originated externally to both the site and its processes, i.e. the dutyholder may have very little or no control over the hazard. External hazards can have the potential of causing initiating events at the plant, typically transients like e.g., loss of offsite power. Simultaneously, external events may affect safety systems required to control the initiating event and, where applicable, also back-up systems implemented for risk-reduction.
The plant safety may especially be threatened when loads from external hazards exceed the load assumptions considered in the design of safety-related systems, structures and components.
Another potential threat is given by hazards inducing initiating events not considered in the safety demonstration otherwise. An example is loss of offsite power combined with prolonged plant isolation. Offsite support, e.g., delivery of diesel fuel oil, usually credited in the deterministic safety analysis may not be possible in this case. As the Fukushima events have shown, the biggest threat is likely given by hazards inducing both effects. Such hazards may well be dominant risk contributors even if their return period is very high.
In order to identify relevant external hazards for a certain Nuclear Power Plant (NPP) location, a site specific screening analysis is performed, both for single events and for combinations of external events. As a result of the screening analysis, risk significant and therefore relevant (screened-in) single external events and combinations of them are identified for a site. The screened-in events are further considered in a detailed event tree analysis in the frame of the Probabilistic Safety Analysis (PSA) to calculate the core damage/large release frequency resulting from each relevant external event or from each relevant combination.
Screening analyses of external events performed at AREVA are based on the approach provided by the SKI guidance 2:27 and have been performed as part of the PSA for new plant designs and for installed based projects.
Following the Fukushima event from March 2011, the methodology for screening external events has been reviewed at AREVA with respect to its applicability, limitations and to the identification of enhancement areas.
127 NEA/CSNI/R(2014)9
This paper presents the screening analysis methodology to identify relevant external events and external event combinations. In line with the WENRA Position paper, this approach provides valuable input information for the identification of single external events and their combinations to create Fukushima-like rare and severe external hazards which may need to be addressed additionally to the general design basis as design extension hazards by realistic analyses rather than conservative. The analysis is based on a systematic identification of relevant external event combinations which includes earthquake-induced external events and takes into account a deterministic justification of the design basis for external events including beyond design external events.
Lessons learnt from the Fukushima accident have been identified and evaluated in order to be considered for reinforcement in the identification, screening and in the detailed probabilistic analysis of external events.
Keywords: External Hazards; Screening Analysis, Design Extension Hazards; Probabilistic safety Analysis
1. Introduction
The accident at the Fukushima Daiichi nuclear power plant on 11-th of March 2011 was caused by a violent earthquake followed by a major tsunami that has stricken the site and resulted in severe damages. The sequence of events which followed to a critical situation on 3 reactors (units 1 to 3) and in the spent fuel pool of unit 4, and finally to massive radioactivity releases to the environment. This major event has been classified by the Japanese Safety Authority at the maximum level on the INES scale (level 7).
The Fukushima event has shown the safety relevance of rare events, exceeding the design base of a NPP. The plant safety may especially be threatened when loads from external hazards exceed the load assumptions considered in the design of safety-related systems, structures and components.
Despite the fact that external hazards have been analyzed in the scope of deterministic and probabilistic analyses to define the design bases of the plant and to identify relevant external hazards as beyond design accidents, following the Fukushima event the methodology applied for the analysis of external events in the PSA has been reviewed at AREVA with respect to its applicability and limitations.
This paper outlines the main findings of this review and presents the screening analysis methodology to identify relevant external events and external event combinations. In line with the WENRA Position Paper [3], this approach provides valuable input information for the identification of single external events and their combinations to create Fukushima-like rare and severe external hazards which may need to be addressed additional to the general design basis as design extension hazards by realistic rather than conservative analyses.
The analysis is based on a systematic identification of relevant external event combinations which includes earthquake-induced external events and takes into account deterministic justification of the design basis for external events including beyond design external events.
Lessons learnt from the Fukushima accident have been identified and evaluated in order to be considered for reinforcement in the identification, screening and the detailed probabilistic analysis of external events.
128 NEA/CSNI/R(2014)9
2. Consideration of External Hazards for Deterministic and Probabilistic Analyses
The Fukushima event has shown that the following specific external hazards considerations are appropriated:
- A design basis load case to be considered in the design of Systems, Structures and Components (SSCs) (e.g., Design Base Earthquake and Design Base Flooding) and
- A design extension load case (“Design Extension Hazard“, DEH) for which it shall be shown under best-estimate assumptions that fuel melt can be prevented or that the radiological consequences of fuel melt can be controlled by a proper containment function.
As the definition of a DEH may raise a need for design changes it is necessary to identify hazards to which this approach might be applicable at an early design stage. An example of such a design extension hazard is given by the consideration of a crash of large commercial air plane on the plant.
In order to identify relevant external hazards for a certain NPP location, a site specific screening analysis is performed, both for single and for combinations of external events.
The screening analysis identifies relevant single and combined external hazards, which are natural or man- made events which originate externally to the site and its processes and which have the potential of causing initiating events at the plant, typically transients (e.g., loss of offsite power). Simultaneously, external hazards may affect safety systems required to control the initiating event and, where applicable, also back- up systems implemented for risk-reduction. The screening analysis of external events is performed to
Identify external hazards for which a Design Extension Approach might be applicable and
Identify the relevant external hazards for the detailed probabilistic analysis.
Screening analyses of external events performed at AREVA are based on the approach provided by the SKI guidance 2:27 [1]and have been performed as part of the PSA for new plant designs and for installed based projects.
As a result of the screening analysis, risk significant and therefore relevant (screened-in) single external events and combinations of them are identified for a site. The screened-in events are further considered as events to which a Design Extension Approach might be applicable. A detailed event tree analysis is performed for each screened-in external event in the frame of the PSA in order to calculate the core damage frequency (CDF) / large early release frequency (LERF) resulting from each relevant external event or from each relevant combination.
An overview of the screening process for external event based on the approach of the external events PSA is presented in Figure 1.
129 NEA/CSNI/R(2014)9
Figure 1: Overview of the Screening Process for external hazards
INITIAL DATA Collecting site/plant COLLECTION relevant information and data on external hazards
IDENTIFICATION OF Exhaustive list of external EXTERNAL HAZARDS events (air, ground, water)
List of plant/site relevant HAZARD SCREENING external events (single and ANALYSIS combined events)
Further detailed analysis on
DEH and/or PSA modelling DETAILED HAZARD of screened-in hazards ANALYSIS
As a first step collection of relevant site information and data on external hazards for the site is performed in order to
Identify external hazards potentially relevant to the plant and to the site and
Provide the necessary input information to perform the screening analysis of external events.
External hazards may in particular have one or more of the following effects to be considered in the safety demonstration (Table 2.2. in SKI guide [1]):
Impact type Description
Structure / Pressure The external event affects safety-related structures and may disable the safety functions contained. Structure / Missile
HVAC (Heating, Ventilation, The external event affects HVAC functions and may cause Air Conditioning) partial or total loss of safety systems relying on heating or cooling.
Alternatively, the event may affect the plant through the
130 NEA/CSNI/R(2014)9
Impact type Description
ventilation system, e.g., corrosive gases.
Ultimate heat sink The external event affects the ultimate heat sink and by this the capability of the residual heat removal from the core via secondary or primary cooling.
Power supply The external event affects the plant grid connections and may cause loss of offsite power.
External flooding The external event causes flooding of buildings or structures and may disable the safety functions contained.
External fire The external event causes fire in buildings or structures and may disable the safety functions contained.
Electric The external event affects safety functions by creating electrical or magnetic fields.
Other direct impact In a few cases, the event may work in a way that is not covered by the general categories. Examples are plant isolation or toxic impact on personnel.
Based on the initial data collection, potential external events to be considered in the screening analysis are identified in order to create an exhaustive list of external hazards.
Grouping the various types of external events is useful for structuring the information presented and for performing a tentative completeness check of the identified events. Based on SKI guide [1] and Annex 1 of IAEA SSG-3 [2] a generic event grouping into natural and man-made external events, cross grouped via air, water and ground based external events is considered. Applying the generic event grouping relevant external events are derived and documented in an exhaustive list of events that constitute as a basis of the external events screening analysis.
3. Screening Analysis of External Events
The screening analysis of external events is performed, in order to limit the number of events to be analyzed to those events which have the potential of a relevant impact to the plant and to the site.
The methodology applied in the screening analysis, which is based on [1], involves the following steps for screening single and combined external events:
Relevancy screening (site relevant external events)
The relevancy screening is based on general information about the strength of the potential external event and its relevancy at the site.
The purpose of the task is to screen out those potential external events, either single or combined, which are not relevant to the site, which means that they cannot occur at the site or in its relevant surroundings or that their maximum possible strength at the site is evidently too low.
131 NEA/CSNI/R(2014)9
The task will result in a list of potential site relevant external events.
The following screening criteria are used (see ref. [1] chapter 5):
Distance The potential event cannot occur close enough to the plant to affect it vulnerably.
Examples of use: Volcanic phenomena could be screened out by the distance from areas where volcanic activities have taken place (if applicable to the site).
Inclusion The potential event is included into another event which is more representative to the site
Example of use: Continuous land rise takes place e.g on the coast of Botnia. This event is slow and may be included in the event low sea water level.
Applicability The potential event is not applicable to the site
Example of use: Events like Low Temperatures, Extreme snow, White frost are not applicable for tropic site locations.
Impact screening (plant relevant external events)
The purpose of the task is to screen out those potential external events, either single or combined, which would not have a considerable effect on the plant structures, cooling, electrical transmission or plant operation, even if maximum impact strength is assumed.. As a result of this task a list of plant relevant external events having the potential to degrade one or more plant safety functions is derived.
132 NEA/CSNI/R(2014)9
The following plant related screening criteria are used for the impact screening (see ref. [1] chapter 5):
Severity The effects of the event are not severe enough to damage the plant, since it has been designed for other loads with similar or higher strength.
Example of use: Extreme air pressure can be screened out using this criterion as normal or abnormal events within this category will not affect the plant.
Warning There is time to shut down the plant or to implement pre-planned measures which would render the event irrelevant. In the first case the functional analysis of event consequences can be restricted to the cold shutdown state. „The assessment of what is a sufficient warning time requires a plant specific approach, and is mainly dependent on the time required for safe shutdown of the plant. However, it also depends on existing procedures, emergency plans, etc. and must be evaluated on a case- by-case analysis.“[1] Example of use: Flooding at river sites will often occur with enough pre-warning time to perform pre-planned actions to protect the plant by installation of flooding protection means and preventive plant shutdown. (exception might be flooding caused by dam failure)
Screening criteria for the identification of design extension load cases (“Design Extension Hazard“, DEH) may differ from PSA screening criteria when a more conservative approach is required in applicable regulations. Examples for deterministic screening criteria may include:
Exclude any hazards against which are physically not possible for a site (e.g. avalanche),
Exclude any hazard whose impact is covered by accident conditions already considered in the plant design (e.g., water-based hazards which would at most lead to a blockage of the service water inlet screens when a scenario “Loss of Ultimate Heat Sink” is already postulated in the safety analysis.
Exclude any hazard whose impact is already covered by another screened-in external hazard (e.g., direct impact from heavy transportation within the site may be covered by consideration of air plane crash).
133 NEA/CSNI/R(2014)9
Event definition
The purpose of the task is to acquire detailed site relevant information on the strength and frequency for each potential plant relevant external event using internal and external information sources. [1] The task will result in potential plant relevant external events characterized by
Information on event strength, duration, frequency, etc.
Potential impact on safety systems/components, availability of external support, etc.
. Note: Experience from ongoing project show that these data are not available completely especially in early project phases, consequently EE screening analysis needs to be updated during the project. Even in later project phases it might be necessary to base the analysis on expert judgment
Plant response analysis
The purpose of the plant response analysis is to identify (see [1]):
a) the design basis values or best estimate expert opinions of the tolerability of relevant safety functions to the external hazard respectively the combined external hazards
b) the damage levels for each potential plant relevant external event together with the assisting expertise at plant.
The analysis shall generate the following general information on the plant response to the various external events:
1. First, it must be identified whether or not an event would cause an initiating event in the plant, and which initiating event is most probable to occur (typically a transient or a need for a manual plant shutdown, either immediately or after some time).
2. Secondly, the potential to degrade one or more safety functions needed to cope with the induced initiating event. The kind of impact of the external event on the plant has to be determined. Available protective measures are also to be identified. These measures may especially include structural characteristics, characteristics of active or passive safety features, diversified features not affected by the event and protective or mitigating human interactions as defined in safety analysis and operating procedures.
4. Analysis of the screened-in External Events
Single external hazards and combination of external hazards are analyzed in detail. This will initially require a more detailed analysis with regard to the protection principles and potential impact. Afterwards it can be concluded whether the event is a candidate event to be considered as
A Design Extension Hazard (DEH) for which it shall be shown under best-estimate assumptions that fuel melt can be prevented or that the radiological consequences of fuel melt can at least be controlled
134 NEA/CSNI/R(2014)9
An event for which a detailed event tree analysis is performed in the frame of the PSA.
The most common approach for the detailed analysis of external hazards in the frame of the PSA is to perform an event tree analysis and to calculate the resulting core damage / large release frequency from this event.
Another approach is to assess safety margins in the design against potential impacts from the respective hazard. The most common example is the seismic margin assessment applied to identify margins in the seismic design of structures and components and to demonstrate robustness against loads from beyond design earthquakes. Margin assessments may support both PSA but also deterministic analysis of design extension hazards.
A third approach would be the definition of deterministic load cases and subsequent explicit analysis (mechanical, thermo-hydraulical, etc.) showing that structures and systems can withstand the load case.
In all approaches understanding of associated uncertainties, both epistemic and aleatory is required [3]. A qualitative uncertainty analysis should be performed discussing the potential influence of assumptions considered. In the frame of PSA the qualitative uncertainty analysis may be complemented by a quantitative uncertainty analysis of the resulting core damage frequency / large release frequency.
Design changes or improvement might be necessary, if
The robustness of the design cannot be demonstrated,
The probabilistic target values for the core damage frequency / large release frequency are exceeded,
The contribution of the hazard to the core damage frequency / large release frequency results in an unbalanced design.
5. Conclusions and Lessons Learned from the Fukushima Accident
The external event screening analysis is described as a method to evaluate the design against external hazards and especially beyond design external hazards. As a result of the screening analysis those external events are identified which need to be analyzed in detail as a Design Extension Hazard (DEH) respectively in the probabilistic safety analysis (PSA) or by margin assessments to demonstrate robustness of the design.
Effects from single and combined external events need to be analyzed. Specifically in light of the Fukushima accident the focus is on the identification of relevant combinations of external hazards for which the effect of the combination is more severe respectively has relevant additional effects compared to the single event.
Some guidelines (see e.g. [1] and [4]) do not allow a screening of certain hazards, especially earthquake, as these hazards are applicable to nearly all sites and specific regulations apply. In consequence these hazards are omitted during data collection and screening. For the identification of potential relevant event combinations this may establish drawbacks as vital information may not be available. It is therefore important to include the full spectrum of hazards in the process.
135 NEA/CSNI/R(2014)9
Correlation mechanisms with the potential to induce hazards to the plant and effects on safety functions to control any transient induced by the combined hazards need to be investigated in more detail. Especially if the screening is based on a low frequency of the event combination, the potential of this combination for inducing a large early release has to be considered in such a way that the frequency criterion takes is based on LERF and not on CDF.
The effects of beyond design external events may aggravate the performance of possible accident management actions to cope with hazard induced unavailability of safety systems. Such actions are:
Actions to fill- up water storages and fuel oil storages for beyond design grace times,
Actions to start back-up systems,
Actions to recover failed / damaged components.
In addition the Fukushima accident has shown that the analysis of beyond design external hazards must take into account severe damages on the plant infrastructure and the public infrastructure for the analysis in such a way that offsite support, e.g. delivery of diesel fuel oil or make-up water usually credited in safety analyses as available may not be possible respectively more difficult to be managed.
The systematic approach of the external event screening method provides a mean to demonstrate the robustness of the plant to effects of design extension hazards in the frame of the plant response analysis respectively the detailed analysis of such external hazards and combination of external hazards which have been identified as relevant for the plant in the screening analysis.
Site specific information and data on strength and frequency of beyond design external events is an important basic input to perform an external event screening analysis.
This input is needed as early as possible for new build projects such that any potential site specific issue to be taken into account for the design of the plant against external events is identified in the early phase of the project.
Experiences from ongoing projects have shown that it is not always possible to receive this information in adequate level of detail. As a consequence of this, the external hazard screening often involves engineering judgments. Caution has to be paid that the assumptions applied are properly documented to allow a later check, e.g., in the frame of periodic safety reviews.
References
[1] SKI-Report 02:27; Febuary 2003 M Knochenhauer / P. Louko; “Guidance for External Event Analysis”
[2] IAEA SSG 3 Development and Application of Level 1 PSA for Nuclear Power Plants
[3] WENRA Booklet: Safety of new NPP designs, draft 9 Position 6 External Hazards, RHWG, October 2012
[4] Probabilistische Sicherheitsanalyse (PSA): Qualität und Umfang; Richtlinie für die schweizerischen Kernanalagen; ENSI-A05/d; Januar 2009
136 NEA/CSNI/R(2014)9
SESSION 2
SPECIFIC FEATURES OF ANALYSIS AND MODELING OF PARTICULAR NATURAL EXTERNAL HAZARDS
Chair: Jeanne-Marie Lanore
J. Holý, M.Hladky, O.Mlady, L.Kolar, M.Jaros ESTIMATION OF FREQUENCY OF RARE NATURAL EXTERNAL EVENTS OF VERY HIGH INTENSITY ON THE BASE OF (NON)AVAILABLE DATA
L. Tunturivuori EXTERNAL HAZARDS IN THE PRA OF OLKILUOTO 1 AND 2 NPP UNITS - ACCIDENTAL OIL SPILLS
In-Kil Choi, D. Hahm, M. Kyu Kim CURENT STATUS AND ISSUES OF EXTERNAL EVENT PSA FOR EXTREME NATURAL HAZARDS AFTER FUKUSHIMA ACCIDENT
J. L. Brinkman REALISTIC MODELLING OF EXTERNAL FLOODING SCENARIOS A MULTI-DISCIPLINARY APPROACH
137 NEA/CSNI/R(2014)9
138 NEA/CSNI/R(2014)9
ESTIMATION OF FREQUENCY OF OCCURRENCE OF EXTREME NATURAL EXTERNAL EVENTS OF VERY HIGH INTENSITY ON THE BASE OF (NON)AVAILABLE DATA.
) ) ) ) ) Holý J.* , Hladky M.** , Mlady O.*** , Kolar L.* , Jaros M.* *) ÚJV Řež, a. s., Hlavni 130, 250 68, Husinec-Rez, Czech Republic **) NPP Dukovany, ***) NPP Temelin
Abstract
The relatively frequent natural external events are usually of minor safety importance, because the NPPs are, with a significant safety margin, constructed and operated to withstand the effects of them. Thus, risk analysis is typically devoted to the natural events of exceptional intensity, which mostly have not occurred up to now, but which still could happen with some low probability, but critical consequences. Since “direct” plant specific data providing evidence about such events to occur is not at disposal, special data treatment and extrapolation methods have to be employed for frequency estimation.
The paper summarizes possible approach to estimation of rate event frequency by means of extrapolation from available data and points out the potential problems and challenges encountered during the analysis. The general framework is commented in the presentation, regarding the effects of choice of probabilistic distribution (Gumbel distribution versus the others), methods of work with data records (To take out some observations and why?) and analysis of quality of input data sets (To mix the data sets from different sources or not? To use “old” observations?)
In the first part of the paper, the approach to creation of NPP Dukovany deterministic design basis regarding natural external events, which was used in past, is summarized. The second, major part of the paper, is devoted to involvement of the ideas of probabilistic safety assessment into safety assessment of external hazards, including such specific topics as addressing the quality of available data records, discussion on possible violation of common assumptions expected to be valid by the rules of statistical data analysis and the ways how to fix it, the choice of probabilistic distribution modeling data variability etc. The examples of results achieved for NPP Dukovany site in Czech republic are given in the final section.
This paper represents a coordinated effort with participation of experts and staff from engineering support organization UJV Rez, a .s. and both NPPs located in Czech Republic – Dukovany and Temelin.
1. Introduction – NPP Dukovany design basis regarding natural external events
With respect to extreme meteorological events, the original design requirements for NPP Dukovany were developed on the base of the Russian standard PIN AE-5.6 [1], used generally for all safety important structures, including buildings, and applied across technologies with high demands on safe operation. In this standard, the events with return period of 10 000 years (1E-04/year) were considered and conservative safety factors of 2,5 for extreme wind load, and 2,0 for extreme snow load were used, if sufficient data for a given time interval was not at disposal (what is quite typical for such events of extreme magnitude). In other words, the systems and buildings were designed and constructed to withstand the event of a magnitude 2,5 (2,0) times bigger than postulated event with return time period of 10 000 years. For non- safety important structures (buildings), less conservative Czech normative document CSN 73 0035 (Load
139 NEA/CSNI/R(2014)9
on civil constructions) [2] was used. The PGA value of 0,06g was used to define the requirements on plant system and structured design regarding seismic load.
The main problem, which appeared later, during engineering support and evaluation of NPP Dukovany operation in nineties, was that the postulated requirements were not fully met during NPP construction. For that reason, reassessment of the design basis was performed in 2000 as a part of plant safety report revision on the base of following principles:
design basis for safety important structures/buildings was defined at 2 levels:
� design load – represented by the events’ magnitude of return time period of once per 100 years,
� maximum estimated possible load – represented by the events’ magnitude of return time period of once per 10 000 years,
the statistical data analyzed in support of design basis reassessment covered history of meteorological parameters recorded both at local and several surrounding meteostations during last 30 years,
Gumbel probabilistic distribution was used for derivation of frequency of events,
the minimum PGA value for seismic event was increased on the base of recommendations in IAEA guidelines up to the value of 0,1g.
The current values of natural events parameters corresponding to the design basis are presented in the following table [3]. These values are very close to those postulated in 2000 year.
Table 1: NPP Dukovany natural events corresponding to design basis
Meteorological event/ Return time 100 year Return time 10 000 year Parameter Value Load Value Load Gusty wind / speed Instantaneous speed 47,4 m/s 64,1 m/s 10 s average speed 38,4 m/s 51,9 m/s 10 min average speed 26,5 m/s 35,8 m/s 2 2 Basic wind load - CSN 0,92 kN/m 1,68 kN/m 2 2 Basic wind load - EN 0,44 kN/m 0,80 kN/m 2 2 Snow / equivalent water column 109 mm 1,09 kN/m 195 mm 1,95 kN/m Rain precipitation / water column (per 24 hour) 77 mm 115 mm Maximum temperature / absolute early maximum 39°C 46,2°C 6-hour average 38,5°C 46,2°C Minimum temperature/ absolute early minimum - 30,8°C - 46,7°C Daily average - 24,0°C - 37,8°C 5 day average - 21,4°C - 35,3°C
140 NEA/CSNI/R(2014)9
In 2010-2011, new revision of design basis values for the natural events of extreme wind and extreme snow was carried out on the base of following principles:
maximum calculation load for safety important structures/buildings for the event return time of 10 000 years (corresponding to frequency of event occurrence of 1E-04/year) was specified (in NPP Dukovany PSA project, the screening frequency for this event is 1E-07/year),
the codes for normal industry buildings design and construction were used for non-safety important structures/buildings,
CSN EN 1991-1-4 [4] and CSN EN 1991-1-3 [5] normative documents were not used for extreme wind and extreme snow, because the used values correspond to the return time of 50 years only and the highest values can be excluded, based on the data from snow and wind maps with the records covering the history of last 50 years,
for derivation of values corresponding to the events with longer return periods – a probabilistic analysis and extrapolation has had to be used.
It should be pointed out that, in general, the current design basis for NPPs in Czech Republic is much more conservative than for other industrial technologies or civil objects. First of all, the demands on the construction and design correspond to the values of natural events with return period of 10 000 years, not only 50 or 100 years. The estimation of values corresponding to long return time is connected with very high level of uncertainty.
The values derived for design basis applications can be used in the process of estimation of initiating event frequency in a very straightforward manner. The values related to 100 and 10 000 year return period correspond to the frequencies of 10-2 and 10-4 per year, respectively. For any other value of a (critical) load, the frequency can be evaluated using the selected probabilistic distribution and interpolation of these two fixed values.
2. Revision of natural external events design basis supported by probabilistic safety assessment and statistical data analysis
Recently, in years 2010 and 2011, the design basis assessment regarding external hazards was up-dated. For NPP Dukovany, the most detailed analyses were done for extreme wind and extreme snow hazard, where the assumed risk impact was considered as dominating the other external hazards.
Whereas the original, design basis data was based only on the observations recorded at two meteostations during 30 years of recorded experience, with not quite well documented assumptions, way of data collection, and reason for selection of the stations, the data records of wind speed from five meteostations (with similar meteorological conditions to those at plant site), in addition to the station located in plant site directly, were elaborated during the more recent analysis [6]:
Dukovany - 22 years of experience + 6 years added later,
Brno Turany – 49 years,
Kostelni Myslova – 50 years,
Kucharovice – 50 years,
141 NEA/CSNI/R(2014)9
Luka – 35 years,
Pribyslav – 50 years of experience.
In this phase, the analysis was supported by comprehensive correlation analysis of everyday observations taken from the individual data sources. The results of correlation analysis have shown pretty high level of correlation between the values taken from most of the selected data sources and, in general, have supported using of the available data from various meteo-stations located in plant vicinity. Since the Dukovany data were available over a relatively short time period only, non-parametric Spearman correlation coefficient was used for selection of the best fitting data source.
Although the primary goal of the analysis was to derive the values of parameters of external events with expected return time period of 100 and 10 000 years, respectively, it was possible to use the results of extrapolation analysis also in the reverse way – for derivation of values of initiating event frequencies used in PSA study. This way, PSA experts, who became later an independent reviewer of methodology and results of the analysis originated in CHMU Brno, were involved into the exercise. During the revision and up-date of the analysis, the specialists from UJV Rez, a. s. provided important comments to various aspects of meteorological data collection and analysis – selection of data sources, treatment of various data quality issues, selection of probability distribution for modeling data variability and extrapolation (Gumbel versus the other distributions) and, particularly, interpretation of results of analysis.
The selection of probabilistic distribution was a key point of the analysis. The following candidates were taken into consideration (the first three distributions are recommended by IAEA guidelines, the latter ones used by hydrometeorology experts, but only for analysis of events with much shorter return period, i.e. 50- 100 years, than the events of a magnitude, which may cause real problem for NPP safety):
1. Gumbel (skewness (s) = 1,14),
2. Fréchet (s > 1,14),
3. Weibull (s < 1,14),
4. GEV (widely used by hydrometeorology institutes),
5. 3 parametric lognormal distribution (s > 0 or s < 0, depending on concrete data sample),
6. (two parametric) lognormal distribution.
The first recommendation regarding distribution choice was made by CHMU experts in the more recent calculations, where Gumbel and GEV distributions were compared. In these calculations, the Kolmogorov- Smirnov test p-value was derived as a measure of fit of theoretical distribution with empirical data, leading to the conclusion that GEV distribution provides better fit. However, this conclusion was found inappropriate for highly improbable high magnitude natural events with very long return time period (10 000 years).
Later, there was interesting discussion about distribution choice between UJV and CVUT Klokner institute specialists, where, despite to the recommendations in IAEA guides, 3 parametric lognormal distribution was preferred to Gumbel distribution by some experts. The reason for moving to the lognormal distribution was alleged excessive conservativeness of Gumbel distribution and a not very good fit of some data
142 NEA/CSNI/R(2014)9
samples with the skewness value of Gumbel distribution (which is 1,14 constantly). However, it was emphasized during the discussion that, for other empirical data, sample skewness was quite close to the postulated value and, on the other hand, the proposed 3-parametric log-normal distribution had other parameters or characteristics not quite well fitting the empirical data (courtosis). In fact, using 3-parametric lognormal distribution in testing computations (with empirical data from NPP Dukovany vicinity) led to extremely non-conservative results in comparison with what was expected to get from real data and also in comparison with the results of similar studies.
Although such a discussion can be seen as fairly theoretical and oriented too much to the methodology of the analysis, the true is (as it was proven by a series of computations) that the choice of the distribution may have crucial impact on the overall results of the analysis and on consequently defined plant strategy how to treat external hazards and where the priorities are.
In the following table, preliminary results of comparison of Gumbel and GEV distribution application are presented, with two methods of GEV parameters estimation applied – moment method and maximum likelihood estimation method. As it can be seen, GEV method produces fairly (unrealistic) close high wind speed values for 100 and 10 000 years return time period. For two data samples with the least number of observations, Gumbel distribution provides also relatively low extreme values, because the highest wind speed values close to those observed in NPP Dukovany vicinity are missing in these samples. However, the remaining four more complete samples, where the high wind speed values observed are available, produce significantly higher estimations of wind speed with return periods of 100 and, particularly, 10 000 years.
Table 2: NPP Dukovany extreme winds speed estimations made on the base of records taken from several meteostations
Meteo‐station Characteristics B2BTUR01 B2DUKO01 B2KMYS01 B2KUCH01 O2LUKA01 P3PRIB01
Number of values 49 22 50 50 35 50
Reliability Gumbel distribution, parameters estimated by method of weighed moments
p‐value 50% 0,699 0,588 0,724 0,987 0,729 0,658 N=100 50% 42,94 38,62 47,08 46,46 43,44 45,44 N=10000 50% 58,66 48,65 65,05 63,43 56,78 62,16
Reliability GEV, parameters estimated by method of weighed moments
p‐value 50% 0,905 0,888 0,834 0,990 0,914 0,701 N=100 50% 41,21 35,69 43,07 45,17 40,08 42,92 N=10000 50% 50,23 36,99 48,24 56,87 43,21 50,51
Reliability GEV, parameters estimated by maximum likelihood method
N=100 50% 41,78 35,02 41,71 45,52 39,37 42,82
143 NEA/CSNI/R(2014)9
N=10000 50% 51,35 35,75 45,01 57,40 41,78 50,49
A more detailed comparison of the results of application of four different families of probabilistic distributions with the parameters derived by two methods (maximum likelihood method and moment method) for analysis of data taken from 6 meteorological stations was conducted in CVUT Klokner institute [7]:
1. three–parametric lognormal distribution LN3 – parameters derived by the moment method,
2. three–parametric lognormal distribution LN3 – parameters derived by the maximum likelihood method,
3. GEV distribution - parameters derived by the maximum likelihood method,
4. Gumbel distribution - parameters derived by the maximum likelihood method.
Table 3: Details of NPP Dukovany extreme winds analysis – parameters of various distributions derived on the base of data records taken from several meteo-stations
Dukovany Brno Kucharo Data set Czech rep. Luka Pribyslav Myslova (new) Tuřany vice Theoretical model Number of values 50 28 35 49 50 50 50
42,3 30,3 31,8 29,2 30,9 31,4 31,9 Mean μx (1) Lognormal 3P
Standard deviation σx 3,99 3,21 3,55 4,48 4,51 4,79 5,03 moments ‐0,073 ‐0,266 0,121 0,954 0,480 0,137 0,943 method derived Skewness αx * * x , x min max ‐121,7 66,6 ‐56,3 14,7 2,5 ‐73,6 15,4 EV 10 000 years 57,8 40,6 46,0 57,2 52,9 50,7 63,2
4,51 3,56 3,51 2,98 3,03 4,09 2,94 Mean μy
(2) Lognormal 3P Standard deviation σy 0,043 0,089 0,105 0,215 0,210 0,080 0,248 MLE parameters * * ‐48,7 ‐1,66 9,11 9,63 ‐28,3 12,4 x min, x max 65,7 EV 10 000 years 58,0 40,4 47,5 52,8 55,0 51,7 60,0
Shape par. k ‐0.201 ‐0,331 ‐0,228 ‐0.070 ‐0,121 ‐0,201 ‐0 044 (3) GEV Dispersion par. s 3,80 3,29 3,53 3,71 4,09 4,64 4,12 MLE parameters Location par. m 40,8 29,3 30,4 27,3 28,9 29,5 29,7 EV 10 000 years 56,7 38,8 44,0 52,5 51,6 49,0 60,9 Mean 42,3 30,3 31,8 29,2 30,8 31,4 31,9 Standard deviation 3,99 3,21 3,64 4,38 4,59 4,88 5,01 Skewness 0,250 ‐0,161 0,159 0,773 0,549 0,251 0,898
40,6 28,9 30,2 27,2 28,8 29,2 29,6 Mean μx
(4) Gumbel Standard deviation σx 3,11 2,5 2,76 3,49 3,52 3,74 3,92 MLE parameters 1,14 1,14 1,14 1,14 1,14 1,14 1,14 Skewness αx EV 10 000 years 69,2 51,9 55,7 59,3 61,2 63,7 65,7
144 NEA/CSNI/R(2014)9
The values of extreme wind speed with the return period of 10 000 years are compared in the table. In case of Gumbel distribution with constant skewness of 1,14, the final values are influenced, first of all, by the maximum values in the individual samples taken from meteostations. For that reason, the highest wind speed value was derived for the artificial sample “Czech rep.” with maximum values taken from all meteostations over Czech Republic. In case of using of three-parameter lognormal distribution or GEV distribution, the derived “Czech rep.” values of wind speed are even not the highest ones (what looks a bit suspicious) and most of derived values are significantly lower than for Gumbel. For this and several other reasons, the values derived by means of Gumbel distribution were transferred into the NPP Dukovany PSA study.
In the next table, the final results of the evaluations carried out in CHMU Prague (Brno subdivision) and the results of independent revision performed in UJV Rez are presented. Whereas Gumbel distribution and moment method estimation of parameters were used by CHMU specialists, Lieblein technique according to the attachment to the IAEA Guideline 50-SG-S11A was used in UJV. Both sets of results fit the design basis values quite well.
Table 4: Final results of NPP Dukovany extreme winds analysis
Maximum Maximum Maximum Maximum Meteo‐ Number (100 years ‐ (10000 years (100 years – (10000 years station of years G G UJV) ‐ UJV) CHMU) – CHMU)
EDU 22 29,046 2,402 40,1 51,17 38,86 48,65
Kucharovice 50 29,701 3,842 47,37 65,08 46,46 63,43
Turany 50 27,181 3,564 43,58 60,01 42,94 58,66
Kostelni 49 29,501 3,464 45,43 61,40 47,08 65,05 Myslová
Pribyslav 50 28,978 3,384 45,55 60,15 45,44 62,16
Luka 35 30,059 3,119 44,41 58,79 43,44 56,78
EDU new 28 28,648 3,080 42,81 57,01 ‐‐‐ ‐‐‐
Extreme snow analysis
For extreme snow analysis [8], the approach to derivation of extreme values was very similar to the extreme wind case. At the beginning of analysis, the data from nine meteostations located in plant vicinity was analyzed with the aim to select the most appropriate data sample. In addition to the criteria based on the scope and quality of the data sample, a specific feature of extreme snow analysis, in comparison with extreme wind analysis, was found, which is the impact of meteostation elevation level on the data (the corresponding statistical zero-hypothesis about no impact of elevation on the height of snow cover was rejected on the base of available data).
Finally, three meteostations were selected to provide data for extrapolation analysis:
145 NEA/CSNI/R(2014)9
Dukovany – very close to the plant, with the same elevation, 28 years of experience,
Hrotovice – very close to the plant, with the same elevation approximately, 50 years of experience (maximum achievable value for the set of meteo-stations at disposal),
Namest – relatively close to the plant, with the same elevation approximately, 50 years of experience.
The data sets from these three meteostations, once again in the form of year maxima, were used and several probability distributions were tested to find the best fitting one. Finally, Gumbel distribution was selected and the analysis was performed in similar way as in extreme wind case.
Conclusions regarding methodology and results of extreme wind and extreme snow analysis
Several general conclusions regarding methodology of the analysis can be made on the base of new experience with extrapolation of values based on analysis of meteorological data records:
selection of probabilistic distribution has got an essential impact on the results; that’s why it is recommended to perform comparing analysis for several proposed probability distributions and to select one with 1)best references for the given type of analysis and 2)good fitting the data sample under concern; selection of Gumbel distribution is recommended, in general,
the way of selection of reference meteostation as the major data source, having the same or similar meteorological conditions as the site under concern, is very important; that’s why the data source directly from plant site should be used, if possible; if there are several meteostations as the candidates for being the major data source, correlation data analysis should be performed and the best fitting data source should be selected, it should be considered to use some meteostation close to the plant site as the primary major data source even if the data directly from plant site are at disposal, provided that the “close” data are still well fitting the case and are more conservative at the same time,
using of the largest data set (of well-fitting and good quality data) available, if possible, is highly recommendable, but good size of data sample should be ensured carefully and some approaches should be avoided, because they can destroy statistical qualities of the chosen data sample (particularly regarding the assumption that the data set is a sample of independent observations following the same statistical law):
� the data sources (data from different meteostations) should not be combined, if possible,
� lack of data (low size of the sample) should not be solved by inclusion of second, third, etc. year maximum values into the sample (in addition to the first maximum value) – particularly this approach has significantly negative impact on data quality and credibility of the results.
3. Vulnerability analysis of buildings ultimate resistance against natural phenomena
Both deterministic and probabilistic approach has been used for vulnerability analysis in case of NPP Dukovany. In application of deterministic approach, analysis of safety important structures has been done only for two load strengths
146 NEA/CSNI/R(2014)9
design load – for events and loads with parameters corresponding to the return time period of 100 years, including combination of different loads
maximum calculated (realistic) load – for events and loads with parameters corresponding to the return time period of 10 000 years; no combination of (highly improbable) different loads was taken into consideration in this case.
In the probabilistic approach – the screening frequency value used has been as low as 10-7. For more probable/frequent events, plant response to external event has been considered and analyzed in plant PSA [9], particularly for extreme nature events with the frequency from the interval <10-4 – 10-7>, which are considered as beyond design basis events by the traditional deterministic approach.
Models, framework and results of extreme wind and snow consequence analysis
The ultimate stability of a building structure is represented by the level of load (interpreted by means of meteorological parameters – extreme wind speed, water level, snow weigh/height, extremely high/low temperature) which, with high probability, would cause damage of a building and/or loss of safety functions ensured by the safety important systems housed inside.
The methodology developed in UJV Rez, a. s. – division 2500 ENERGOPROJECT [10] (former Dukovany NPP general designer) has been used for vulnerability analysis. In general, the analysis is connected with high uncertainty in results and assumptions regarding loss of safety functions and in equipment availability modeling. In most cases, no plant specific fragility curves are available and the consequent PSA analysis is based on simplified approach and assumptions. For the external power supply 400 kV and 110 kV grid, for example, a resistance against wind gust of 33 - 38 m/s is expected on the base of analysis, but no fragility curves have been constructed in a systematic manner.
Major improvements
A number of measures have been proposed at NPP Dukovany recently with the aim to decrease the risk of plant operation related to external events. This process will continue by 2015 year, when the NPP will apply at Czech regulatory body for prolongation of operation. However, the process of addressing impact of external events started well before the Fukushima event (probabilistic safety assessment model part was significantly enhanced and gradually developed since 2008).
After Fukushima, the process of evaluation and mitigation of external events risk accelerated at NPP Dukovany and has absorbed a lot of new facts both from evaluation of Fukushima event and from the European stress tests program [11]. The following acts could be pinpointed:
safety important structures (turbine hall, central pumping station) reinforcement regarding nature external events consequences (seismic hazard event, wind, snow),
specific non-safety important building reinforcement (fire brigade building), where the availability may have significant impact onto the process of mitigation of external event consequences,
new safety feature with key impact on risk level of the loss of ultimate heat sink scenarios – installation of ventilator cooling towers,
147 NEA/CSNI/R(2014)9
development of broad list of other “Post-Fukushima” measures addressing design and availability of safety important equipment and, in addition, also the organizational and engineering support aspects (new broad deterministic and probabilistic analyses, new aspects in training),
new procedures for plant response to external nature events and to loss of safety functions (ultimate heat sink, station blackout).
4. Final conclusions
The process of adopting safety measures with the aim of gradual increasing of Czech NPP operation safety, particularly in the area of external hazards, is continuously under way for several years. A number of concrete examples were given in previous chapters of this paper.
To organize the process of development of measures increasing NPP resistance against external events and to find the priorities for it, it is necessary to understand and express explicitly (in terms of quantitative parameters), what is the real level of risk caused by highly improbable high intensity natural events. In section 2 of this paper, broad discussion regarding frequencies of high magnitude external events occurrence is presented, which has taken place in Czech Republic recently. These frequencies represent one of key inputs into the process of risk estimation for external hazards.
There is large uncertainty connected with modeling and particularly quantification of external events impact (selection of suitable probabilistic distribution, quality and robustness of statistical data set, selection of referent meteostation, wind and snow maps existing only for events with return time of 50 - 100 years, etc.) For the design basis events with return time of 10 000 years, fragility curves for structures are not available, what makes difficult the consequent phase of analysis – modeling and quantification of plant response to initiating event occurrence.
Although the results of external events risk analysis are typical with high level of uncertainty (particularly connected with quantitative values of initiating events frequencies), these analyses mean necessary important step forward in getting realistic picture about the total risk of NPP operation, despite the fact that a detailed guide for external events PSA modeling does not exist (in many countries, external events are still not included in the PSA models at all).
References
[1] PIN AE-5.6, Normative documents for NPP design, Ministry of Nuclear Energetics of Soviet Union, 1986 [2] CSN 73 0035, Tichy M., Building constructions load, Prague 1986 [3] NPP Dukovany Safety report, revision 2012 [4] CSN EN 1991-1-4, Eurocode 1: Construction load - Part 1-4: General loads – Load by strong wind, CNI, 2007 [5] CSN EN 1991-1-3 Eurocode1: Construction load – Part 1-3: General loads – Load by heavy snow, CNI, 2005 [6] Stepanek, Zahradnicek: Providing of meteorological data and elaboration of professional standpoint for the purposes of forecast of extreme wind speed in the Dukovany locality, CHMU Brno, 2010 [7] Holicky M.: Critical analysis of theoretical models of wind speed distributions, Klokner Institute of Czech Technical University, Prague, informative material, 2.3. 2011 [8] Stepanek, Zahradnicek, Zaruba: Providing of meteorological data and elaboration of professional standpoint for the purposes of forecast of extreme snow cover in NPP Dukovany lokality, CHMU Brno, 2011
148 NEA/CSNI/R(2014)9
[9] NPP Dukovany Living PSA 2012 (Part 2, Extreme natural events), revision 2, UJV Z 3494T, anuary 2013 [10] Methodology for evaluation of NPP Dukovany and NPP Temelin building constructions behavior in case of extreme climatic conditions load, UJV Rez, EGP 504J3-F-111736, 2011 [11] Evaluation of Safety and Safety Margins in the light of the accident of the NPP Fukushima, National Report on „Stress Tests“ NPP Dukovany and NPP Temelín Czech Republic, revision 1, 2012
149 NEA/CSNI/R(2014)9
150 NEA/CSNI/R(2014)9
EXTERNAL HAZARDS IN THE PRA OF OLKILUOTO 1 AND 2 NPP UNITS - ACCIDENTAL OIL SPILLS
Lasse Tunturivuori Teollisuuden Voima Oyj, Olkiluoto, FI-27160 Eurajoki, Finland
Abstract
Oil transports in Finnish territorial waters have increased significantly during the last 10 years. The Gulf of Finland is at this moment a very important route of oil being transported from Russia to the Western Europe. Although the number of accidental oil spills is decreasing in amount and in size, there is a growing concern of their effects to nuclear power plants (NPP's). The amounts of oil transported on the Gulf of Bothnia are much smaller than on the Gulf of Finland. However, accidental oil spills have occurred also there, the size and amount of which are smaller, though.
Accidental oil spills are often a result of grounding of a ship or collision of two ships, and often occur during harsh weather conditions like storm or dense fog. However, also coastal oil depots may break, the oil of which may spread over wide distances on the sea.
The modelling of initiating events resulting from accidental oil spills includes oil spill response actions performed by the regional rescue services, alarming of the oil spill by the emergency response centre to the NPP rescue services and spill response by the NPP's rescue services. It is unclear what the consequences are if drifted oil would enter the coolant water tunnels. The effect of different oil types to the operation of the safety-related service water systems and components are being assessed. In the ultimate case, an oil spill would clog the inlet channels thus failing the ultimate heat sink of the NPP units.
The licensee is evaluating what is the optimal way to operate the NPP units in the case that an oil slick is threatening the plant to ensure reactor core cooling and RHR. The continued operation of, and especially the cooling of, at least one auxiliary feedwater pump is critical in the mitigation of the initiating event. Strategies, like reversing the water flow of the cooling water channels or closing of the cooling water channels, are being evaluated.
1 Introduction
The Olkiluoto nuclear power plant (NPP) is situated on the Island of Olkiluoto in Western Finland on the coast of the Gulf of Bothnia. At the NPP, there are two operating units, Olkiluoto NPP units 1 and 2 (OL1 and OL2). These NPP units are boiling water reactors (BWR) built by ASEA-ATOM in the late 70's and early 80's. Both units' safety systems are divided into four redundant subsystems (divisions), each of which has a capacity of 50 %. Thus, two of the divisions must operate in order to successfully perform a given safety function. The decay heat removal system (RHRS) and component coolant water systems (CCWS) including the cooling of the diesel generators are dependent of sea water cooling via service water systems.
Oil transports on Finnish territorial waters have increased significantly during the last 10 years. The Gulf of Finland is at this moment a very important route of oil being transported from Russia to the Western Europe. Although the number of accidental oil spills is decreasing in amount and in size, there is a growing concern of their effects to NPP's along the coast. The amounts of oil transported on the Gulf of Bothnia are much smaller than on the Gulf of Finland.
151 NEA/CSNI/R(2014)9
Oil spill accidents may occur due to ship collisions or grounding of a ship. This may lead to an event in which the oil slick drifts to the shores of Olkiluoto. The oil spills in the Gulf of Bothnia have been small in size and the spilled oil has most often been the fuel of the ship itself.
2 Analysis of oil spill accidents
2.1 Description of the phenomena
During the year 2012, about 3 million tons of oil was shipped to or from Finnish [1, 2] and 2 million tons of oil to or from Swedish [3] harbours by the Gulf of Finland. Ships enter the Gulf of Bothnia mostly through the Sea of Åland, which lies between the Åland islands and Sweden. Most ships head then directly towards their destination, resulting in that close to Olkiluoto, there is no significant amount of oil transport.
The closest harbour to Olkiluoto is the Port of Rauma, which is the 5th largest port in Finland and is located about 13 km south of Olkiluoto. In the Bothnian Sea, there have been 12 reported oil spill accidents during the period 1969 - 2012, of which 3 have occurred in front of Rauma. Globally, the number of oil spill accidents has decreased although the amount of sea transportation has increased. This is thanks to improved maritime safety. Accidental oil spills are often a result of grounding of a ship or collision of two ships and they often occur during harsh weather conditions like a storm or dense fog. However, also coastal oil depots may break, the oil of which may spread over wide distances on the sea. The wind direction affects the direction of the current of the surface water. The wind direction, thus, affects the direction where the oil slick drifts. On the Island of Olkiluoto, the main direction of the wind is from south west and a wind direction along the coast line is common. The main direction of the surface water current is from south towards the north.
The behaviour of the spilled oil is affected by its specific gravity (its density relative to the density of water), volatility, viscosity and pour point, and by the current weather conditions. The spilled oil undergoes several weathering processes in the sea, e.g. evaporation, oxidation, emulsification, biodegradation, dispersion, dissolution, and sedimentation. The weathering processes depend on the characteristics of the spilled oil and change the characteristics themselves. Especially evaporation and emulsification change the characteristics of the oil into the characteristics of heavier types of oil, but evaporation, biodegradation, dissolution and sedimentation decrease the amount of oil in the slick. Emulsification, on the other hand, increases the volume of the oil slick. [4] Light oil types float on the surface of the water and evaporate easily. Heavier oil types may sink to the bottom or stay in the water column and drift below the surface. [5]
2.2 Response against oil spills
In case of an oil spill accident, the accident is reported to the Maritime Rescue Coordination Centre or to the Emergency Response Centre. The regional rescue services are alerted to perform the oil spill response. In Rauma, Uusikaupunki and Pori, there are ships equipped with oil booms and have the ability to collect oil at coastal waters.
A defence-in-depth principle is utilized in the oil spill response. The first barrier is the response by the regional rescue services at sea. The second barrier consists of oil booms on the islands close to Olkiluoto, which are permanently installed by the licensee. These oil booms may be deployed by boat and, thus, block the sounds between the islands close to the Olkiluoto Island in order to protect the oil from entering the inlet channels of the NPP units. Further, a third barrier consists of oil booms installed at the inlet channels of NPP units OL1 and OL2. These booms may be swiftly deployed by hand. The actions to deploy the oil booms on the islands and at the inlet channels are performed by the plant rescue services. Cleaning of travelling band screens, pumps and heat exchangers may be seen as a fourth barrier.
152 NEA/CSNI/R(2014)9
2.3 Consequences to the units
If oil would enter the inlet channel and further sink several meters to the inlet tunnel, the most severe consequences would be clogging of the traveling band screens, thus tripping the condenser coolant water pumps and the service water pumps. This would lead to loss of turbine condenser and feedwater to the reactor and loss of CCWS and RHRS. However, in such a situation, the traveling band screens could be cleaned one at a time, thus maintaining water flow to the service water systems. According to an independent expert analysis, high viscosity oil could decrease the pumping capacity by 20 % if it would enter the service water systems. It would affect only minimally on the capacity of the heat exchangers. Oil types of low viscosity would not affect the systems.
2.4 Modeling of oil spills and their response
In the PRA of OL1 and OL2, external hazards are modeled as an initiating event if the hazard leads to a transient and further to loss of equipment which is important to safety. In the analysis of the initiating event frequency of an oil spill accident, the hazard frequency and the response to the oil spill accident is modeled.
The hazard frequency is assessed by using the fact that during 1969 - 2012, no oil spill accidents have occurred with a potential impact to the Olkiluoto Island. Further, the wind direction distribution has been taken into account. In the modeling of the initiating event frequency, the oil spill response at sea by the regional rescue services is accounted for, as well as the deployment of oil booms in the sounds between the islands south of the Olkiluoto Island and in the inlet channels of the NPP units.
The observation time is modeled using the ASEP screening diagnosis model. The event probability "Observation time < 5 h" is the conditional probability of receiving the alarm in Olkiluoto in 5 h on the condition that the alarm has or has not been received by the emergency response center in 1 h. The response times are long; it would anyways take several hours before the NPP would be exposed to oil. The failure probability of the response by the rescue services and the deployment of the oil booms at the inlet channel is assumed to be 0.05 by expert judgment. The deployment of the oil booms between the islands is assumed to be 0.2, accounting for dependence on the deployment of oil booms in the inlet channels, as to a high probability, the same crew performs both actions.
It is assumed that if the oil would enter the inlet channel, it would also enter the inlet tunnel and clog the traveling band screens, thus resulting in a loss-of-feedwater transient event. In the modeling of the initiating event, an operator action to clean the traveling band screens is modeled. Failure to clean the traveling band screens would lead to loss of all service water systems.
3 Results
The modeling of the oil spill accident from the hazard event to the initiating event is presented in the event tree below.
153 NEA/CSNI/R(2014)9
Figure 1: Event tree of the oil spill accident hazard
Oil spill Observation Oil spill Observation Oil boom Oil boom at Consequence Frequency
accident time < 1 h stopped at time < 5 h between the the inlet [1/a] frequency sea islands channel [1/a] 8.9E-4 0.999 0.95 Oil stopped at sea 8.5E-4 0.05 0.9999 0.8 Oil stopped between the islands 3.6E-5 0.2 0.95 Oil stopped before the inlet channel 8.5E-6 0.05 Oil may enter the inlet tunnel 4.5E-7 1.E-4 Oil may enter the inlet tunnel 4.5E-9 1.E-3 0.5 0.8 Oil stopped between the islands 3.6E-7 0.2 0.95 Oil stopped before the inlet channel 8.6E-8 0.05 Oil may enter the inlet tunnel 4.5E-9 0.5 Oil may enter the inlet tunnel 4.5E-7
Total Oil stopped at sea 8.5E-4 Oil stopped between the islands 3.6E-5 Oil stopped before the inlet channel 8.5E-6 Oil may enter the inlet tunnel 9.0E-7
The Birnbaum measure of the initiating event resulting from the accidental oil spill is about 0.06 and the contribution to the total core damage frequency is 0.4 %. The distribution of the contribution of the internal events to the core damage frequency is shown in Figure 2 and the relative contribution of the external hazards excluding seismic hazards to the core damage frequency is shown in Figure 3.
154 NEA/CSNI/R(2014)9
Figure 2: Distribution of internal events of OL1.
Internal events of OL1 Transition from hot shutdown to low LOCA shutdown 11 % 2 % Transition to hot Startup shutdown 9 % 7 %
Outages 3 %
Seismic hazards 1 % External hazards excl. seismic hazards 10 % Other internal hazards 0 % Internal transients 34 % Internal floods Internal fires 1 % 22 %
4 Discussion
The maritime traffic in the Gulf of Bothnia is rather scarce. Since there are no refineries on the coasts of the Gulf of Bothnia, not much oil is transported. Most of the oil spills originate from the oil used by the ships themselves, so the spills are rather small in size. During the history of the Olkiluoto NPP, there have not been any oil spill accidents at sea that have had the potential to impact the Olkiluoto NPP. There are multiple defence barriers which would stop the spilled oil from arriving near the Olkiluoto NPP. An eventual initiating event, resulting from loss of feedwater, CCWS and RHRS, would be rather severe, the Birnbaum measure being 0.06. However, the initiating event frequency being low, the hazard has only a small contribution to the core damage frequency.
The initiating event frequency estimate is conservative, since only heavy oil types would enter the inlet tunnels and the waters near Olkiluoto are shallow. This means that the oil with the potential to enter the inlet tunnel is in the water column and it would sink to the bottom before reaching the Olkiluoto Island. These phenomena are, however, very difficult to model.
155 NEA/CSNI/R(2014)9
Figure 3: Distribution of external hazards excl. seismic hazards.
External hazards excl. seismic events of OL1 Algae, LOFW, RHRS Algae, LOFW and and CCWS RHRS 9% 4% Mussels in outlet channel, LOFW, Oil spill RHRS (BD) and 4% High water CCWS Other temperature 1% Frazil ice, 2% 17% Mussels in outlet LOFW and BD channel, LOFW, cooling RHRS (AC) and 2% Frazil ice, CCWS LOFW and 1% ABCD cooling 3%
Mussels in inlet channel, LOFW, RHRS and CCWS 57%
5 Improvements to oil spill response due to the PRA
The modeling of the initiating event frequency due to an oil spill accident uncovered a weak spot in the information exchange between the emergency response center and the licensee, TVO. Earlier, there was no procedure to alert TVO in case of an oil spill accident at sea. The probability that the information would not arrive at TVO was estimated to be 0.5. Nowadays, this information arrives at TVO through an automatic alarm. Thus, if the alarm has arrived at the emergency response center, the probability that the information would not arrive at TVO is estimated to be 10-4, which accounts for eventual equipment failures. This improvement decreased the inititating event frequency resulting from oils spills by 96 %. As a consequence, from being a major contributor to the core damage frequency, its contribution to the core damage frequency is rather small in the present model. The contribution to the core damage frequency from external hazards decreased from 20 % to 10 % in the update.
6 Conclusions
The maritime traffic in the Gulf of Bothnia is rather scarce. Most of the oil spills originate from the oil used as fuel by the ships themselves, so the spills are rather small in size. During the history of the Olkiluoto NPP, there have not been any oil spill accidents at sea that have had the potential to impact the
156 NEA/CSNI/R(2014)9
Olkiluoto Island. There are multiple defence barriers which would stop the spilled oil from arriving near the Olkiluoto NPP.
Improvements in oil spill response at the NPP, especially in the information exchange between the regional response centre and the NPP rescue services and installation of oil booms, has decreased the probability that an oil spill accident would affect the safety of the Olkiluoto NPP units.
References
1. Statistics on Domestic Waterborne Traffic in Finland 2011, Statistics from the Finnish Transport Agency 2/2012, Finnish Transport Agency, Finland (2012).
2. Statistics on International Shipping 2011, Statistics from the Finnish Transport Agency 5/2012, Finnish Transport Agency, Finland (2012).
3. Shipping Goods 2012, Statistik 2013:11, Trafikanalys, Sweden (2013).
4. ITOPF Handbook 2013/14, The International Tanker Owners Pollution Federation Limited, United Kingdom. http://www.itopf.org/ accessed 2013-05-24.
5. Fate of Marine Oil Spills, ITOPF Technical Information Paper 2, The International Tanker Owners Pollution Federation Limited, United Kingdom. http://www.itopf.org/ accessed 2013-05- 24.
157 NEA/CSNI/R(2014)9
158 NEA/CSNI/R(2014)9
CURRENT STATUS AND ISSUES OF EXTERNAL EVENT PSA FOR EXTREME NATURAL HAZARDS AFTER FUKUSHIMA ACCIDENT
1 1 1 In-Kil Choi , Daegi Hahm , Min Kyu Kim
1Korea Atomic Energy Research Institute, Daejeon, Korea
Abstract
Extreme external events is emerged as significant risk contributor to the nuclear power plants after Fukushima Daiichi accident due to the catastrophic earthquake followed by great tsunami greater than a design basis. This accident shows that the extreme external events have the potential to simultaneously affect redundant and diverse safety systems and thereby induce common cause failure or common cause initiators. The probabilistic risk assessment methodology has been used for the risk assessment and safety improvement against the extreme natural hazards. The earthquake and tsunami hazard is an important issue for the nuclear industry in Korea. In this paper, the role and application of probabilistic safety assessment for the post Fukushima action will be introduced. For the evaluation of the extreme natural hazard, probabilistic seismic and tsunami hazard analysis is being performed for the safety enhancement. The research activity on the external event PSA and its interim results will be introduced with the issues to be solved in the future for the reliability enhancement of the risk analysis results.
1. Introduction
In Korea, 22 units of nuclear power plants (NPPs) are in operation, and 6 units are under construction. For the assessment of safety of NPPs against to the natural hazards, the seismic event and the meteorological tsunami rather than earthquake induced tsunami are considered. Other extreme natural hazards such as super typhoon or heavy rainfall are not considered yet. Hence, after the Tohoku earthquake and tsunami, many activities were launched to improve the PSA technology against to the extreme external hazards including beyond design level events. On the other hand, after the Fukushima Daiichi accident, about 50 items of actions to improve plant safety against the extreme earthquake and tsunami was planned. In this paper, the role and application of probabilistic safety assessment for the post Fukushima action will be introduced. The current status and issues of external event PSA for extreme natural hazards in Korea also will be presented.
2. Post Fukushima Actions In Korea
After Fukushima Daiichi accident, total 50 items of actions to improve plant safety are planned and triggered. Some of important and major efforts for seismic and tsunami safety improvements are as follows:
Increase the height of the tsunami wall in Kori nuclear power plants site
Re-evaluation of seismic capacity of safety related SSCs
Re-evaluation of deterministic and probabilistic seismic hazard for a nuclear power plant site
Re-evaluation of design tsunami height for NPP sites
159 NEA/CSNI/R(2014)9
Installation of watertight doors for the emergency power system and safety-related components
Construction of protection wall for yard tanks
The risk reduction effect of these safety improvement actions is preliminary evaluated by the deterministic and probabilistic methods (Figure 1). In the probabilistic method, the risk reduction effect (CDF) prior to the enhancement and reinforcement is estimated by PSA (probabilistic safety assessment).
Figure 1. Preliminary Evaluation of Risk Reduction Effect by Improvement
After the Tohoku earthquake, the seismic and tsunami safeties are re-evaluated. For the seismic safety re- evaluation, the seismic hazard of Korea is re-estimated to include the consideration of the potential probabilities of the great earthquakes beyond the design level. The re-estimation of the seismic hazard is performed by both of the deterministic approach (DSHA, deterministic seismic hazard analysis), and probabilistic approach (PSHA, probabilistic seismic hazard analysis). For all operating nuclear power plants (22 units), the seismic safety assessment are performed by SMA (seismic margin analysis) and SPRA (seismic probabilistic risk assessment) methods. With the safety re-evaluation project using PSA approach, the internal and external event PSA on a full-power and a low-power shut-down state will be performed. After the post Fukushima actions in Korea, the seismic capacity of safe shutdown system will be improved to 0.3g which is same to the design level of new NPPs. For the enhancement of the seismic capacity level, firstly, the SSCs related to the safe shutdown were identified. The seismic capacities will be re-evaluated by fragility analysis. For weak links, a plan to improve seismic capacity will be made and reinforcement and replacement of weak SSCs will be performed.
In Korea, the design wave height due to tsunami event also re-evaluated after the Tohoku earthquake and tsunami. To enhance the accuracy of tsunami PSA results, identification of tsunami-genic source around the Korean peninsula was performed and the numerical simulation technologies and models will be developed. The cooling water intake availability during high sea wave and tsunami by debris will be also evaluated. For the enhancement of the safety of NPPs against to tsunami event, the protection systems against tsunami were introduced as follows.
Increase the height of tsunami wall in Kori NPPs site to 10.0 m
Watertight door for all the openings and doors on the 1st floor including entrance doors, equipment hatches and ventilating openings.
160 NEA/CSNI/R(2014)9
Flood protection wall for yard tank
3. Research Activities in Korea
The final goal of research activities on risk assessment for extreme external events in Korea, especially for KAERI (Korea Atomic Energy Research Institute) is the development of site risk assessment & management technology for extreme external events. The key research topics are risk evaluation methodology for extreme external events, integrated risk assessment technology for multiple units, and advanced AM (accident management) and EM (emergency mitigation) technology for internal and external events.
For the risk evaluation against extreme external events, structural safety for beyond-design basis earthquake ground motion will be developed. The new risk assessment technology for tsunami, super typhoon, heavy rainfall, aircraft impact accident, and other important external events are also being developed now. To develop the integrated risk assessment technology for multiple units, we are developing the site risk assessment methodology and models. To improve the AM and EM technology, we are focusing to the advances of the integrated severe accident management (ISAM), risk-informed emergency preparedness (RI-EP), and Spent fuel pool risk management (SFP-RM).
3.1. On the Seismic Event PSA
For the improvement of the PSA against to the seismic event, KAERI performed researches to reduce uncertainties in PSHA procedure. In Korea, because of the lack of strong earthquake data, historical earthquake data was over estimated and conservative approach for estimation of PSHA parameter for NPP sites was used. To reduce the conservative parameter, firstly, we performed sensitivity analysis for PSHA input parameters which have uncertainties such as the seismic source map, Gutenberg-Richter a & b value, maximum magnitude for seismic source, focal depth, and attenuation equations. From the results of the sensitivity analysis, it was concluded that the dominant parameter is Gutenberg-Richter a, b value and attenuation equations (Figure 2).
Based on the sensitivity analysis, KAERI re-evaluated input parameters for PSHA. The historical earthquake data of Korea were re-estimated. The best estimate values for Gutenberg-Richter a, b value and the best estimated seismic source map were adopted by the consideration of experts’ opinion. We also constructed logic tree for PSHA considering improved PSHA input parameters. Figure 3 shows the result of the refined seismic hazard curves for Ulchin NPP site compared to the conservative ones. Based on these results, the probabilistic methodology to evaluate the UHS of the soft soil site by multiplying the amplification factor to that of the bedrock site was also proposed [1].
161 NEA/CSNI/R(2014)9
Figure 2. PSHA Sensitivity Analysis Results with respect to Uncertain Input Parameters
Figure 3. Improved Seismic Hazard Curves compared to Conservative Seismic Hazard Curves
For operating NPPs, KAERI also proceeded a research to develop a realistic seismic risk evaluation system which includes the consideration of aging of structures and components [2, 3]. A condensate storage tank (CST) located at the Ulchin NPP of Korea was selected to demonstrate the applicability of the developed methodology since that CST is one of the most important SSCs in the seismic PSA, and some degradation phenomena was observed from CSTs (Figure 4). In U.S. NRC Regulatory Guide (RG) 1.174, Rev. 2 [4], “An Approach for Using Probabilistic Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,” defines the acceptable level of changes of NPPs in terms of risk, i.e., the core damage frequencies (CDFs). Hence, we performed the PSAs to obtain the CDFs for a series of fragility capacities of degraded CST.
The CDFs and ΔCDFs for degraded CST were estimated by the seismic PSA procedure, and the ΔCDF values versus the baseline CDF, i.e., the CDF for fresh condition are plotted in Figure 5, overlapping the risk acceptance regions as prescribed in the U.S. RG 1.174, Rev. 2. The degradation acceptance criterion in terms of HCLPF was estimated by 0.422g for ΔCDF of 1.0E-6, which means the CDF & ΔCDF remains in Region III, the proposed acceptable criteria for degradation of NPPs.
162 NEA/CSNI/R(2014)9
Figure 4. Condensate Storage Tank & Its Degradation Phenomena
Figure 5 respect to Degradation of CST
3.2. On the Tsunami Event PSA
Before the Tohoku earthquake and tsunami, a methodology of tsunami PSA for Korea peninsula was developed by KAERI [5]. This tsunami PSA method includes tsunami hazard analysis, tsunami fragility analysis and system analysis. In the case of tsunami hazard analysis, evaluation of tsunami return period was a major task. For the evaluation of tsunami return period, empirical method using historical tsunami record and tidal gauge record was applied (Figure 6). For the performing a tsunami fragility analysis, procedure of tsunami fragility analysis was established and target equipments and structures for investigation of tsunami fragility assessment were selected. In the case of system analysis, accident sequence of tsunami event was developed by according to the tsunami run-up and draw down, and tsunami induced core damage frequency (CDF) is determined.
In Korea, for the advanced PSA against to the tsunami event, 5-year research project was launched in 2012 by KAERI. With the new project, the probabilistic tsunami hazard analysis (PTHA) will be performed by
163 NEA/CSNI/R(2014)9
numerical simulations using the identification of potential tsunami-genic sources (Figure 7), newly developed tsunami simulation code (Figure 8), and geographical data near and at NPP sites. Tsunami PSA methodology and risk quantification model will be also improved by the evaluation of hydrodynamic force, effect of debris, structural failure probability of break water structure and intake structure, and functional failure criteria for offsite power, etc.
Figure 6. Tsunamis Return Period Evaluation by using Empirical Method
Figure 7. Considered Seismic Sources for Tsunami Hazard Analysis
164 NEA/CSNI/R(2014)9
Figure 8. Example of Tsunami Wave Propagation Simulation Result
3.3. On the Other External Event PSA
3.3.1. Other Extreme Natural Hazards
With the research plan for the advanced seismic and tsunami PSA, KAERI made the parallel research plan to develop the new external PSA technologies to consider other extreme natural hazards which could be a severe threat to NPPs such as super typhoon, heavy rainfall, landslide, etc. For the development of PSA against to these other extreme natural hazards, the most severe and critical potential external events were selected among the all kind of external event catalog in Korea. From the historical records of wind speeds of typhoon and maximum rainfalls in Korea, we found the tendency of increase of the maximum values, i.e. maximum wind speeds of typhoon, and maximum rainfalls per 1hr or 1day (Figure 9 & 10). According this tendency, we choose the super typhoon and heavy rainfall for the most important and severe natural hazards except the earthquakes and tsunamis. Against these external events, KAERI will develop the hazard analysis method, fragility analysis method, and the risk quantification methodology and models.
165 NEA/CSNI/R(2014)9
Figure 9. Maximum Wind Speed and Instance Wind Speed in Korea
Figure 10. Maximum Rainfalls /1hr & 1day in Korea
3.3.2. Aircraft Impact Accident
Aircraft impact accident might be classified to the human induced hazard rather than the natural hazard. But its phenomena and consequences to NPPs are very similar to those of the other extreme natural hazards. Hence, in Korea, a research to develop the aircraft impact risk quantification technologies was initiated in 2012. Figure 11 shows the procedure to estimate the probabilistic risk of NPPs against to the aircraft impact accident. The left items were performed in the first year, 2012, and the items in right column have been planned to be performed through 2013 to 2016.
166 NEA/CSNI/R(2014)9
Figure 11. Risk Assessment Procedure for Aircraft Impact Accident
4. Conclusions
The role and application of probabilistic safety assessment for the post Fukushima actions were introduced. It can expected that NPPs will be safer after the post Fukushima actions. The research activity in Korea on the external event PSA and its interim results was also introduced with the issues to be solved in the future for the reliability improvement of the risk analysis results. For the conclusions, we propose some suggestions to enhance the external event PSA for extreme natural hazards after Fukushima accident:
Exclude excessive conservatism in external events hazard analysis owing to a double standard for non-nuclear and nuclear facilities
Need to develop external risk acceptance criteria with technical basis and public acceptance
International cooperation is essential for external hazard assessment
References
[1] D.Hahm, J.-M.Seo and I.-K.Choi, 2011. Probabilistic Seismic Hazard Assessment Method for Nonlinear Soil Sites based on the Hazard Spectrum of Bedrock Sites, Transactions of the Korean Nuclear Society Spring Meeting, Taeback, Korea, May 26-27.
[2] D.Hahm, Y.-S.Choun, I.-K.Choi, J.Nie and J.Braverman, 2012. Estimation of CDF Considering the Degradation Effect of the Condensate Storage Tank, Transactions of the Korean Nuclear Society Spring Meeting, Jeju, Korea, May 17-18.
[3] J.Nie, J.Braverman, C.Hofmayer, Y.-S.Choun, D.Hahm and I.-K.Choi, 2011. A Procedure for Determination of Degradation Acceptance Criteria for Structures and Passive Components in Nuclear Power Plants - A Case Study using A Condensate Storage Tank, Technical Report, KAERI.
167 NEA/CSNI/R(2014)9
[4] NRC, 2011. NRC RG 1.174, An Approach for Using Probabilistic Risk Assessment in Risk- Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, Nuclear Regulatory Commission, Washington, DC.
[5] M.Kim and I.-K.Choi, 2012. A Tsunami PSA Methodology and Application for NPP Site in Korea, Nuclear Engineering and Design, 244(2012), 92-99.
168 NEA/CSNI/R(2014)9
REALISTIC MODELLING OF EXTERNAL FLOODING SCENARIOS A MULTI-DISCIPLINARY APPROACH
J. L. Brinkman NRG Utrechtseweg 310, 6800 ES Arnhem, The Netherlands [email protected]
1. Introduction
Extreme phenomena, such as storm surges or high river water levels, may endanger the safety of nuclear power plants (NPPs) by inundation of the plant site with subsequent damage on safety-related buildings. Flooding may result in simultaneous failures of safety-related components, such as service water pumps and electrical equipment. In addition, the accessibility of the plant may be impeded due to flooding of the plant environment. These consequences are so severe that, (re)assessments of flood risk and flood protection measures should be based on accurate state-of-the-art methods.
Dutch nuclear regulations require that a nuclear power plant shall withstand all external initiating events with a return period lower than one million years. For external flooding, this requirement is the basis of the so-called nuclear design level (nucleair ontwerp peil, NOP) of the buildings for external flooding, i.e. the water level at which a system – among others, the nuclear island and the ultimate heat sink – should still function properly. In determining the NOP, the mean water level, wave height and wave behaviour during storm surges are taken into account. This concept could also be used to implement external flooding in a PSA, by assuming that floods exceeding NOP levels directly lead to core damage. However, this straightforward modelling ignores some important aspects: the first is the mitigating effect of the external flood protection as dikes or dunes; the second aspect is that although water levels lower than NOP will not directly lead to core damage, they could do so indirectly as a result of combinations of system loss by flooding and random failure of required safety systems that have to bring the plant in a safe, stable state. Time is a third aspect: failure mechanisms need time to develop and time (via duration of the flood) determines the amount of water on site.
This paper describes a PSA approach that takes the (structural) reliability of the external defences against flooding and timing of the events into account as basis for the development and screening of flooding scenarios.
2. Plants in the Netherlands
In the Netherlands there are four sites where nuclear reactors were or are located. Figure 1 gives their locations. The first nuclear power plant built in the Netherlands was a 50 MWe BWR (GKN, a pre MK I with two suppression tanks). This plant – shut down since 1997 - was located in the floodplains of the river Waal. The second power plant is located close at the North Sea coast in the Westerschelde estuary: KCB 500 MWe PWR. The third and fourth reactors are pool type research reactors built in the early 60-ties of the last century. The smallest one (HOR: 3 MWth) is located near the city of Delft in a polder area and the other (HFR: 45 MWth) is located in the dunes in the North West part of the Netherlands.
Given their location, it will be clear that all 4 plants needed to consider external flooding as part of the design basis and later in their PSA. The four site locations illustrate the fact that external flooding is site specific. River floods differ in height and duration from sea floods, river dikes fail differently compared to
169 NEA/CSNI/R(2014)9
sea dikes, dunes in their turn fail in a different way compared to dikes. In case of sea flooding the impact of waves has to be assessed. In river flooding waves play a minor rule.
Figure 12: Sites with nuclear reactors.
3. Deterministic design
3.1 Nuclear Base Level
In 1980, the Nuclear Base Level (in Dutch: Nucleair BasisPeil, NBP) and the Nuclear Design Level (Nucleair Ontwerp Peil, NOP) were introduced. The NBP results from the requirement that a nuclear power plant should be protected against external hazards in such a way that the probability of an accident with serious consequences caused by external events - in this case floods-, will be small compared to the risk of serious accidents originating from causes within the plant itself. This requirement is met if the safety measures are such that an external event with a return period of 1 million years (frequency of 10-6 per year) or more can be withstood.
Basis of the NBP assessment is the official Water Level Exceedance Frequency line as used by the authorities in the design of flooding defences. Figure 2 gives an example for a sea location.
170 NEA/CSNI/R(2014)9
Figure 13: Water level exceedence curve
1.0E+00
1.0E‐01
[1/y]
1.0E‐02
1.0E‐03
1.0E‐04 frequency
1.0E‐05
1.0E‐06
Exceedence 1.0E‐07
1.0E‐08 3 5 7 9 Mean water level [m]
3.2 Nuclear Design Level
The next step is to add various surcharges to the NBP, as defined in the regulations of the IAEA. The resulting level is the calculated nuclear design level (calculated NOP). Examples of surcharges to take into account are:
Effects of showers;
Compensation for rising sea level and decreasing soil level;
Settlement;
Wave height.
Because of the dynamic effects of the water (waves), the calculated NOP can be distinguished in:
Static NOP The level at which a constant water load acts on the walls of the buildings in which the safety-related systems and components are housed. This water level is used in the stress - strength calculations for the building design, to withstand the water pressure.
Dynamic NOP This level is used to determine the minimum elevation at which systems have to be placed or to which buildings should be water tight.
The expected life time of the plant has to be taken into account when calculating the surcharges. Regarding safety functions, the calculated dynamic NOP is decisive.
4. PSA
4.1 PSA and NBP
This NOP concept, as it has a frequency base, could also be used to implement external flooding in a PSA, by assuming that floods exceeding NOP levels directly lead to core damage. However, as mentioned
171 NEA/CSNI/R(2014)9
earlier, this straightforward modelling ignores three important aspects: the first is the mitigating effect of the external flood defences protecting the plant; the second aspect is that although water levels lower than NOP will not directly lead to core damage, they could do so indirectly as a result of combinations of system loss by flooding and random failure of required safety systems to bring the plant in a safe, stable state, and thirdly, the time aspect is ignored in two ways: 1) failure mechanisms need time to develop and 2) time (via duration of the flood) determines the amount of water on site. Consequently, a more sophisticated approach is needed. In the development of this approach, use is made of the work of the Netherlands’ Department of Water Management (Rijkswaterstaat), which applies a comparable probabilistic method for evaluating the designs of existing dikes and dunes.
From the three aspects mentioned above, it is clear that the change in approach is not so much in the flooding scenario development and modelling, but rather in the initiating event: the relation between water levels outside the external flooding defences and the water levels on site or in the plant buildings. This relationship is as well physical (water level) as numerical (frequency).
4.2 Flooding scenario’s
The development of external flooding scenarios in event trees starts with establishing which water levels will impact the safety relevant structures, systems and components, e.g. what on site water level causes loss of off-site power or loss of the secondary plant. Loss can simply be caused by inundation or by collapse of a building. In the latter case not only direct (dynamic) forces from the water on the walls of the buildings have to be taken into account, but also - depending on the distance between building and the point where the water is entering the plant site – undermining phenomena of the foundations needs attention. The plant internal design features against external flooding play a dominant role.
Once the discrete water levels are established, the scenario development is – as with all hazards – in principle straight forward. The basis of the event trees describing the flooding scenarios is the PSA internal events mode. In general the event trees for a normal plant trip, loss of off-site power and loss off ultimate heat sink are used. These trees are pruned or modified to account for (part of) systems lost as result of the flooding level.
Before any external flooding scenario (event tree) can be developed, the relationship between water level outside the defences against flooding and the water level and thus consequences inside the plant should be clear. In fact the reasoning starts backwards as compared to the scenario description given by the event tree: what are critical flooding levels inside/around the plant that impact safety relevant structures, systems and components and how can they be related to water levels in the river or at sea In general this will not be a one to one relationship.
4.3 Flooding frequencies
Generally less straight forward is determining the initiating event frequencies. This requires some sort of translation from the water levels off-site to the critical water levels on site. Two issues influence this translation:
1. The conditional failure probability of the external flood defence.
2. The duration of the flood in combination with the flood height, the way the flood defence fails and the site characteristics: these parameters determine the water level that is reached behind the failed flood defence.
172 NEA/CSNI/R(2014)9
Both issues lead to a reduction of the initiating frequency. The first issue results in a reduction factor on the initiating frequency at a given water level. The second issue makes that a higher water level (with a lower frequency) is needed off-site to obtain a certain water level on site.
4.3.2 Failure of dikes and dunes
Flood defences can fail in different ways. Overtopping is not the only and also not per definition the dominant failure mechanism. Figure 3 gives an overview of the main failure mechanisms.
Overtopping
In this case the dike fails because large amounts of water simply overrun the dike; the dike is not high enough;
Macro-stability
The dike becomes unstable by water penetrating and saturating the core of the dike. The inside slope starts sliding under the sea or river side water pressure;
Sea side erosion
The top layer (grass plus clay, stone, tarmac) is damaged by wave attack. Once this protective top layer is gone the main dike structures is eroded away.
Piping
The water pressure forces water under the cay layer that covers the main structure of the dike or forms its foundation. So called pipes form and the sand under the dike is washed away causing the dike to collapse
Erosion of dunes
Dunes fail in general simply by the wave action of the sea. Every wave reaching the dune row erodes the dune by removing sand.
The possible failure mechanisms make it clear that flood defence can and will fail at water levels below their maximum height. In all cases failure is defined as the condition that the amount of water passing the flood defence exceeds a predefined level that will not cause problems. For a dike it signifies the starting point of the development of a breach. It will take time to develop a full size breach.
To obtain the (conditional) failure probability the structural reliability of the flood defence is calculated by evaluating the resistance of the flooding defence against the possible failure mechanisms (strength of the flood defence) initiated by the high tide (stress on the flood defence). Interactions between the different failure modes are taken into account. Parameters influencing the strength of the flooding defence are the dimensions (e.g. width, height, slope), the material used for the underground, core material, and top layer, density and grain size distribution, permeability, subsoil type etc. Water level, wave height, wave frequency and wave direction are factors that determine the stress.
173 NEA/CSNI/R(2014)9
Figure 3: Major failure mechanisms for dikes and dunes6.
overtopping erosion water side
macro stability piping
erosion
beach dunes
In table 1 an example of output of the calculation for a sea dike at a given storm surge level is presented. It shows that erosion of the outer slope at the locations with a clay / grass top layer dominate the probability. Overtopping is not a major concern. Which of the mechanisms is dominant, changes with the water level. It will be clear that overtopping will become more and more dominant when the water level comes nearer to the height of the dike. Also the type of flooding influences the dominant failure mechanism. In case of river dikes piping and macro-instability are in general the dominating failure mechanisms
Table 1: Example of a conditional failure probability, total and per failure mechanism, for given flooding height.
Failure mechanism Failure Prob. Combined Failure Prob.
Overtopping 2.9E‐08
Sea side erosion: stone cover 8.6E‐10 Sea side erosion: grass cover 9.4E‐07 9.9E‐07 Piping 1.2E‐08 Macro stability 1.3E‐08
Figure 4 gives a result of a complete stress strength evaluation over a range of water levels for a sea dike.
6 http://www.helpdeskwater.nl/onderwerpen/waterveiligheid-0/programma%27-projecten/veilighed-nederland/publicaties/illustratiemiddelen
174 NEA/CSNI/R(2014)9
Figure 4: Conditional failure probability of a sea dike as function of flood level [m above mean sea level]
] 1.0E+00 ‐
[ 1.0E‐01 1.0E‐02 1.0E‐03
1.0E‐04
Probability 1.0E‐05 1.0E‐06
failure 1.0E‐07 1.0E‐08
1.0E‐09
Conditional 1.0E‐10 0 1 2 3 4 5 6 Mean water level [m]
4.3.2 Water level on site
The water level on site is determined by two factors: the amount of water that can enter the site and the amount of water needed to reach a certain water level.
The amount of water that can enter the site is depending on the duration of the high water level and the size of the breach. High water levels in a river caused by for instance melting snow or heavy or prolonged rain can last for a long time (several days to over a week), while high flood levels on sea are mostly limited by the duration of the storm and the normal tide (12 - 48 hours). Also the breach size and thus the amount of water that can enter the site is a function of time. Time is needed for the process of developing a breach and for the growth process of a breach. This process is – for a dike - depicted in figure 5.
Figure 5: breach formation and growth7.
7 From “Visser, P.J. (1998), Breach growth in sand-dikes, Doctoral dissertation, Delft University of Technology, Delft, 172 pp”.
175 NEA/CSNI/R(2014)9
Erosion starts - for instance - at the inner slope by the water that is flowing down. The amount of water entering the site will remain constant until the crown of the dike is completely erode away and the height of the dike starts dropping and the breach starts growing in width. This growth will stop when the flow rate is so low that no further erosion is possible.
As this process takes time and the speed it develops increases with increasing water level, it is imaginable that certainly at lower flood levels the breach has no time to develop completely before the flooding level drops. This means that although the flooding defence has failed no water will enter the site.
If a full breach develops the next step is to evaluate the resulting water level on site, taking into account the surroundings of the site: e.g. the area that is flooded, its height and the height differences in this area.
The result of such an evaluation is given in figure 6. For instance a flood level of 4 m corresponds with a water level on site of approximately 2.8 m. The corresponding conditional probability of the flood defence failing at this level is 1E-4. Flooding levels below approximately 2.1 m do not result in significant amounts of water on site, because the low water level has no potential to form a breach of any significance.
Figure 6: Relation between water level on site (red line), and the flood level (blue line)
4.3.3 Initiating event calculation
The initiating event frequencies for a certain flooding scenario can be obtained by combining the conditional failure probability given a certain water level on site from figure 6 with the exceedence frequency from figure 2.
Suppose off-site power is lost at a water level of 3m on site and that additional systems fail at 4m onsite. The loss off- site power situation exists between off site water levels of 4 and 4.8 m with a conditional probability varying between 1E-4 and 2E-3. The accompanying exeedence frequency lies between 5E-2 and 2E-3. The resulting initiating frequency for loss of off-site power due to flooding is approximately 1.6E-5 per year. This value is calculated by discretising the exeedence curve between 4m and 4.8m resulting in an approximated frequency per water level, multiplying these frequencies with their the corresponding conditional failure probabilities and summing the results.
176 NEA/CSNI/R(2014)9
5. Conclusions
Realistic modelling of external flooding scenarios in a PSA requires a multi-disciplinary approach. Next to being thoroughly familiar with the design features of the plant against flooding, like its critical elevations for safety (related) equipment and the strength of buildings, additional knowledge is necessary on design of flood protection measures as dikes and dunes, their failure behaviour and modelling. The approach does not change the basic flooding scenarios – the event tree structure – itself, but impacts the initiating event of the specific flooding scenarios.
177 NEA/CSNI/R(2014)9
178 NEA/CSNI/R(2014)9
SESSION 3
PRACTICES AND RESEARCH EFFORTS ON NATURAL EXTERNAL EVENTS PSA
Chair: Keisuke Kondo N.Siu CONSIDERATION OF EXTERNAL HAZARDS AND MULTI-SOURCE INTERACTIONS IN THE USNRCs SITE LEVEL 3 PSA PROJECT
M. Türschmann, S. T. Sperbeck, G. Thuma RECENT RESEARCH ON NATURAL HAZARDS PSA IN GERMANY AND FUTURE NEEDS
P. Dupuy, G. Georgescu, F. Corenwinder TREATMENT OF THE LOSS OF ULTIMATE HEAT SINK INITIATING EVENTS IN THE IRSN LEVEL 1 PSA
M. H. Prasad, G. Vinod, A. R. Kiran, R. Rastogi, M. K. Agrawal, R.K. Singh and K. K. Vaze MODELING OF SEISMICALLY INDUCED MULTIPLE RARE EVENTS IN PSA OF INDIAN NPPs
G. Georgescu, F. Corenwinder, J.-M. Lanore PSA MODELING OF LONG-TERM ACCIDENT SEQUENCES
179 NEA/CSNI/R(2014)9
180 NEA/CSNI/R(2014)9
181 NEA/CSNI/R(2014)9
182 NEA/CSNI/R(2014)9
183 NEA/CSNI/R(2014)9
184 NEA/CSNI/R(2014)9
185 NEA/CSNI/R(2014)9
186 NEA/CSNI/R(2014)9
187 NEA/CSNI/R(2014)9
188 NEA/CSNI/R(2014)9
189 NEA/CSNI/R(2014)9
190 NEA/CSNI/R(2014)9
Recent Research on Natural Hazards PSA in Germany and Future Needs
Michael Türschmann, Silvio T. Sperbeck, Gernot Thuma Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Germany
ABSTRACT
This contribution presents results of recent research and development activities with respect to probabilistic assessment of natural external hazards for nuclear power plants (NPP) in Germany. The German PSA Guideline and, in particular, its supplementary technical documents on PSA methods and data published in 2005 require probabilistic safety analyses (PSA) to be carried out in the frame of periodic safety reviews for nuclear power plants. With respect to external haz- ards this also includes to perform PSA for explosion pressure waves, aircraft crash, external flooding, and seismic PSA. In general, a graded approach is applied. Seismic PSAs, for exam- ple, are required for sites with design basis earthquake (DBE) intensities exceeding VII on the MSK or EMS scale, whereas for sites with lower seismic hazard, simplified approaches are ac- ceptable.
While methods are explicitly available for seismic and flooding PSA, this is not the case for other external hazards. Event combinations of natural external hazards with other events have also not yet been considered in external hazards PSA. Some related enhancements have taken place recently, several activities are ongoing.
Various recent developments, such as results and findings of investigating the Fukushima Daiichi NPP accident in March 2011, concern the consideration of dependencies among differ- ent hazards or initiating events in the analysis. In this context, proposals for modeling different types of dependencies will be made. The dependencies to be mentioned are those among initiat- ing events occurring simultaneously as consequence of a postulated external hazard, dependen- cies among the initial hazard and consequential hazards or events, such as fires, explosions, flooding, etc., and finally dependencies with respect to failures of structures, systems and com- ponents (SSC).
Starting point of any Hazards PSA is a site-specific probabilistic hazard assessment (PHA) that establishes a quantitative relationship between the magnitude of effects at the site under investi- gation and their occurrence frequencies. In combination with the evaluation of the correspond- ing load capacity of the plant, PHA allows to quantify the contribution of each external hazard to the overall risk. As knowledge on the details of the natural (geological, hydrological, meteor- ological. etc.) processes for determining the site-specific hazards is limited, PHA are subject to
191 NEA/CSNI/R(2014)9
substantial uncertainties which have to be taken into account throughout the risk assessment process.
In the recent past, methods for seismic PSA have been improved and adapted to the German site-specific situation. Based on the specifications in the PSA Guideline, a framework for a comprehensive information and data compilation has been developed by means of a database, which can be used for performing site-specific seismic PSA and be applied as a tool in the frame of their reviews for all plant specific queries. A two-stage screening approach of struc- tures, systems and components (SSC) and their dependencies regarding seismic failure behavior has been developed that may be used to compile and complete the seismic equipment list (SEL) and the seismic dependency list (SDL). Moreover, the seismic robustness of all SSC of the SEL can be evaluated with respect to their safety significance.
This contribution also gives indications on already identified needs of analysts and reviewers in further enhancing PSA for external and internal hazards and their potential applications.
1 INTRODUCTION
The German PSA Guideline [1] and its supplementary technical documents on PSA methods [2] and data [3] require probabilistic safety analyses (PSA) to be carried out in the frame of safety reviews for nuclear power plants (NPP). Since 2005, this also covers probabilistic analyses for the following internal and external hazards:
� Fire,
� Internal flooding,
� Aircraft crash,
� Explosion pressure wave,
� External flooding, and
� Earthquake.
For performing safety analyses, only for these internal and external hazards, specifications and methodological approaches are provided in the technical guidance document on PSA methods [2] supporting the PSA Guideline. The risk contribution of other external hazards such as toxic clouds, external fires, ship collisions with intake structures, extreme weather conditions (e.g. lightning, storm, snow, ice and combinations of these), and biological phenomena have to be only roughly estimated. Hazards are fault-causing events of overall impact, as the term is used in this contribution. If it is spoken of ’a hazard’, it can be an internal or external one or a combi- nation of two or more hazards.
192 NEA/CSNI/R(2014)9
The Fukushima Daiichi NPP accident in March 2011 gave reason and indications for checking again models and results with respect to risk assessment of external hazards. Meanwhile, it is recommended that the safety assessment of a NPP does also contain a comprehensive Level 1 PSA for all internal and external hazards (Hazards PSA). In addition, the adequate consideration of all possible dependencies should be ensured for each analytical step.
A standardized approach for performing a comprehensive Hazards PSA is being developed for all kinds of internal and external hazards. The approach emphasizes the complete consideration of all potential dependencies (impact dependencies of different hazards, dependencies of safety functions needed to control the consequences of hazard-induced initiating events and dependen- cies of hazard-induced failures of SSC) in the plant quantification model.
The systematic - and for the most part automatic - extension of the given plant model of Level 1 PSA is the real crux of the new approach. The extension is performed using hazard equipment lists (HEL) and hazard dependency lists (HDL). The lists are generated database-supported.
Meanwhile, some parts of the approach have already been tested, e.g. the database-supported generation of HEL (in particular, the generation of a seismic equipment list, SEL [4]) and the automatic extension of fault tree models using the information of a fire equipment list, FEL.
2 SITE-SPECIFIC PSA FOR INTERNAL AND EXTERNAL HAZARDS
For a given NPP site, the impact of an event resulting from internal and external hazards on the core damage frequency (CDF) is to be assessed by means of Hazards PSA.
For that purpose, it is assumed that a Level 1 PSA for plant internal initiating events (IE) does exist for the NPP under consideration. This means in particular that a plant risk model - consist- ing of event and fault trees - has been derived in order to calculate the CDF and is available for further use. The basic events of this Level 1 plant risk model are mainly failures, malfunctions or unavailabilities of technical components and human errors. The model extensions refer also to failures or unavailabilities of buildings and their structural elements (e.g. rooms, walls, distri- bution systems such as pipes or cables).
The systematic performance of a Hazards PSA comprises modeling on three different steps (see Figure 1 and the following subchapters):
(1) Modeling step: internal and external hazards It has to be analyzed which hazards H and which combinations of hazards are relevant at the NPP site, that is to decide which of the hazards may contribute to the annual frequency
193 NEA/CSNI/R(2014)9
of core damage states and which of them can be neglected in the further modeling.
(2) Modeling step: hazard-induced initiating events For each relevant hazard of step (1) the hazard-induced initiating events must be analyzed. Thereby it is especially important to examine whether the detected initiating events must be modeled as so-called common cause initiators (CCI) and to what extent the hazard-induced initiating events occur simultaneously or nearly simultaneously. Such initiators have to be identified and to be included properly into the PSA model.
(3) Modeling step: hazard-induced unavailabilities of SSC The plant risk model at hand must be extended for each relevant internal and external haz- ard H to include hazard-induced failures or unavailabilities. This extension has to be per- formed by means of previously derived equipment and dependency lists (see chapter 3). These lists, called HEL and HDL, are derived for each relevant internal and external haz- ard H within a comprehensive screening process including plant walkdowns.
Figure 1: Conduction of a site-specific PSA for internal and external hazards
2.1 Screening of Site-Specific Hazards
A catalog Lgen of generic hazards will be compiled using NPP operational experience with natu-
ral and man-made hazards from all over the world. Each hazard of Lgen is elaborately comment-
ed. Performing a site-specific Hazards PSA, the catalog Lgen constitutes the basis to select haz-
ards and combinations of hazards for a list Ltotal containing all those hazards which could possi-
194 NEA/CSNI/R(2014)9
bly occur at the site. It is the first task of the Hazards PSA to comment and discuss each hazard from Ltotal using all site and plant specific information and data. A hazard from the catalog Lgen does not belong to the list Ltotal if there is no doubt that the hazard cannot occur at the site. In case of doubt the hazard has to be included in the list Ltotal and the decision up to which level of detail the hazard has to be analyzed is made within the screening process outlined in the follow- ing.
A screening approach or a first rough analysis is applied to the entire hazards from the list Ltotal
(please note that an event from Ltotal could either be a hazard or a combination of hazards). The result of the screening is the classification of the hazards into one of the lists Lo, Lrough or Ldetail as illustrated in Figure 2. The list Lo contains all hazards having screened out, i.e. those hazards of Ltotal, for which no further analysis is needed. The reasons for assigning hazards to this list have to be given in a traceable and sufficiently detailed manner. For hazards listed in Lrough a full PSA is not necessary. A conservative assessment is sufficient in order to show that the risk con- tribution is negligible.
Figure 2: Screening procedure of site-specific hazards
The list Ldetail contains all those hazards and hazard combinations which have to be analyzed in detail within a comprehensive Hazards PSA. As mentioned above, the German PSA Guideline and its supplementary technical document on PSA methods requires that the external hazards as aircraft crash, explosion pressure wave, flooding and earthquake have to be analyzed, i.e. these hazards are within Ltotal right from the beginning. For those four hazards, criteria are provided to make decisions on the depth of analysis being necessary, i.e. if the hazards have to be assigned
195 NEA/CSNI/R(2014)9
to Lo, Lrough or Ldetail. For instance, in case of an earthquake, the classification depends on the in- tensity of the site-specific design basis earthquake. It is a task within a current research project
to develop general criteria for the unique assignment of all possible hazards from Ltotal to the
lists L0, Lrough or Ldetail. For that purpose, deterministic as well as probabilistic criteria (rough as- sessments) can be used.
2.2 Hazard-Induced Initiating Events
Ldetail contains all those hazards and hazard combinations which have to be analyzed in detail in the frame of a comprehensive Hazards PSA, i.e. the possible IEs have to be determined for each
hazard from Ldetail. In a Level 1 PSA for internal events, the risk is assessed for each relevant initiating event independently. Subsequently, the results are summed up. This is not possible in
case of hazards. Those IE which are induced by a given hazard of the list Ldetail cannot be re- garded as independent from each other. The possible dependencies among the IEs have to be considered when modeling the event and fault trees. In most cases, the analyst is concerned with so-called common cause initiators (CCI), i.e. with hazards that do cause one or more IEs as well as failures or unavailabilities of system functions which are needed to cope with these IEs.
The further procedure has to be determined based on the dependencies identified. For that pur- pose, research is performed at present. It is being investigated, if either the simplified model can still be used (error estimation) or a detailed modeling of all dependencies is needed.
2.3 Hazard-Induced Unavailabilities of SSC
The fault trees of the Level 1 PSA at hand are extended for a given hazard H from Ldetail by all H-induced malfunctions and unavailabilities of relevant SSCs. This extension is systematically undertaken based on the equipment and dependency lists HEL and HDL which have been de- rived before (see chapter 0). If a SSC is an element of HEL and if this SSC is also part of a de- pendency D from HDL, the fault tree characterizing the unavailability of this SCC can be com- plemented as shown in Figure 3. This fault tree extension must be performed for all SSC from HEL and for all dependencies D from HDL with the SSC under consideration as an element of the corresponding dependency set S (see the description of the triple model for dependencies in chapter 3.2).
196 NEA/CSNI/R(2014)9
3 SYSTEMATIC EXTENSION OF THE PLANT RISK MODEL
It is assumed, that for a given hazard H of Ldetail the plant risk model is extended, i.e. it includes the dependencies of the caused IEs. Such a plant risk model must be additionally extended in order to capture all hazard-induced unavailabilities or failure possibilities of SSC. Therefore, verification is necessary for each basic event, whether the related component might be unavaila- ble due to this hazard.
Moreover, it has to be analyzed if hazard-induced malfunctions or unavailabilities of SSC do exist, which were not necessary to be considered in the Level 1 PSA for internal events. The model extension must be performed systematically in a way that failure possibilities cannot be ignored.
Figure 3: Hazard-related extension of the plant risk model
3.1 Hazard Equipment List
For the systematic model extension covering all relevant hazard-induced malfunctions or una- vailabilities, the so-called hazard equipment list (HEL) is derived, which includes all SSC that might fail and contribute to CDF.
Starting from all SSC of a NPP, the identification of SSC that might fail due to the hazard starts by means of a qualitative screening process, as illustrated in Figure 4. For the external hazard earthquake, this method has been successfully applied (supported by a database). An automatic extension - according to Figure 3 - of the RiskSpectrum® plant model can be carried out for all basic events included in the HEL [5].
197 NEA/CSNI/R(2014)9
Figure 4: Qualitative and quantitative screening process to derive HEL and HDL
The intention of a quantitative screening is to decide for which SSC a detailed determination of the hazard-induced failure probability is actually necessary.
3.2 Hazard Dependency List
For the compilation of the so-called hazard dependency lists (HDL), a two-step screening pro- cedure is applied. This list includes all dependencies D among SSC, which have to be consid- ered in case of hazard-induced failures. The dependency notation as a triple D is explained for the hazard earthquake.
Each hazard-related dependency of failure behavior among more than one SSC is characterized by a triple called D; D = (A, S, c). S symbolizes the set of SSC which are assumed to fail de- pendently in case of a seismic event. The symbol A denotes the common attribute of all SSC of S which may be responsible for more than one up to all SSC of S to fail in case of a hazard. A
function EA(x) is used to characterize the effectiveness of the attribute A due to a given hazard strength x. For example, x equals the acceleration a in case of an earthquake and the set S con- tains all SSC located in the turbine hall (TH). Being located in the turbine hall is the common
attribute A for the SSC in S. The effectiveness function EA(a) of this attribute is expressed by the
198 NEA/CSNI/R(2014)9
turbine hall fragility function, EA(a) = FTH(a), that means, the dependency among the elements of S comes into effect with probability FTH(a). This is the probability that the turbine hall col- lapses in case of a seismic impact with acceleration a. The last member within the dependency describing triple D is called the coupling or linking function c. This function describes to which extent the common attribute A causes failures of more than one SSC of S due to the hazard strength x. In the above mentioned example of the turbine hall representative for the hazard earthquake it can be assumed that all SSC of S fail if the turbine hall fails. In this case the func- tion c equals 1. This value does not depend on the strength parameter of the hazard, here on seismic intensity.
The screening process to get HDL proceeds similar to the HEL screening process (see Figure 4). The preliminary HDL is made up of dependency triples based on basic assumptions like “In case of an earthquake SSC of the same type and located on the same floor fail fully dependent”. The preliminary HDL is verified and supplemented in the course of plant walkdowns. The intention of a quantitative screening is to decide for which dependency triple D of HDL a detailed determination of the effectiveness function and the coupling function is actually neces- sary. An automatic extension - according to Figure 3 - of the RiskSpectrum® plant model can be carried out for all dependencies included and described in the HDL.
4 CONCLUSIONS AND OUTLOOK
After investigation of the Fukushima Daichi NPP accident in March 2011 a concept is being de- veloped to include all kinds of internal and external hazards into Level 1 PSA in a comprehen- sive manner. In this concept it is set that an all-embracing generic list of hazards and possible hazard combinations is given and it has to be decided within a site-specific screening process how the hazards are to be assessed: the risk contribution of a given hazard can be neglected, the risk can be roughly assessed or the risk must really calculated in detail with probabilistic meth- ods.
A consistent approach for the required extension of the plant model is proposed for all those hazards which must be analyzed in detail. For this purpose, lists of hazard relevant SSC (HEL) and their hazard-related failure dependencies (HDL) are derived in a systematical way.
Several parts of this concept are already tested. At present our activities are concentrated on the compilation of the all-embracing generic list of hazards and possible hazard combinations and on the elaboration of a site-specific screening process. Questions around the comprehensive in- clusion of dependencies into the plant model are in the center of our future research activities.
199 NEA/CSNI/R(2014)9
5 ACKNOWLEDGMENTS
The authors want to thank the Ministry for the Environment, Nature Conservation and Nuclear Safety (Bundesministerium für Umwelt, Naturschutz und Reaktorsicherheit, BMU) BMU), the Federal Agency of Radiation Protection (Bundesamt für Strahlenschutz, BfS), and the Ministry of Economics and Technology (Bundesministerium für Wirtschaft und Technologie, BMWi) for funding of the activities presented in this paper.
6 REFERENCES
[1] Bundesministerium für Umwelt, Naturschutz und Reaktorsicherheit (BMU). Si- cherheitsüberprüfung für Kernkraftwerke gemäß §19a des Atomgesetzes - Leitfa- den Probabilistische Sicherheitsanalyse. Bekanntmachung vom 30. August 2005, Bundesanzeiger, Jahrgang 57, Nummer 207a, ISSN 0720-6100, Germany: 2005.
[2] Facharbeitskreis (FAK) Probabilistische Sicherheitsanalyse für Kernkraftwerke. Methoden zur probabilistischen Sicherheitsanalyse für Kernkraftwerke, BfS- SCHR-358/05, Salzgitter, Germany: October 2005.
[3] Facharbeitskreis (FAK) Probabilistische Sicherheitsanalyse für Kernkraftwerke. Daten zur probabilistischen Sicherheitsanalyse für Kernkraftwerke, BfS-SCHR-38/05, Salzgitter, Germany: October 2005.
[4] Türschmann M., et al. Verfahren zur Klassifizierung von Bauwerken, Systemen und Komponenten in Hinblick auf ihre sicherheitstechnische Bedeutung bei seis- mischen Einwirkungen. Technischer Fachbericht, GRS-A-3472, Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany: 2010.
[5] Herb, J. Procedures and Tools Comparing PSA in the Frame of Periodic Safety Reviews. In 11th International Probabilistic Safety Assessment and Management Conference and the Annual European Safety and Reliability Conference 2012, (PSAM11 ESREL 2012). ISBN: 978-1-62276-436-5, Curran Associates, Inc., Red Hook, NY: 2012
200 NEA/CSNI/R(2014)9
TREATMENT OF THE LOSS OF ULTIMATE HEAT SINK INITIATING EVENTS IN THE IRSN LEVEL 1 PSA
Patricia DUPUY*, Gabriel GEORGESCU, François CORENWINDER Institute for Radiological Protection and Nuclear Safety, Fontenay-aux-Roses, France
Abstract:
The total loss of the ultimate heat sink is an initiating event which, even it is mainly of external origin, has been considered in the frame of internal events Level 1 PSA by IRSN. The on-going actions on the development of external hazards PSA and the recent incident of loss of the heat sink induced by the ingress of vegetable matter that occurred in France in 2009 have pointed out the need to improve the modeling of the loss of the heat sink initiating event and sequences to better take into account the fact that this loss may be induced by external hazards and thus affect all the site units.
The paper presents the historical steps of the modeling of the total loss of the heat sink, the safety stakes of this modeling, the main assumptions used by IRSN in the associated PSA for the 900 MWe reactors and the results obtained.
Keywords: level 1 PSA, external hazards, loss of the ultimate heat sink
1. INTRODUCTION
The total loss of the ultimate heat sink is an initiating event which, even it is mainly of external origin, has been considered in the frame of the level 1 Probabilistic Safety Assessment (PSA) performed by IRSN for internal events. According to the French PSA Fundamental Safety Rule, this kind of initiators should be considered by the plant operator in the frame of the “Reference PSA”.
Up to now, the analysis and modelling of the sequences induced by a loss of the heat sink were analysed considering the impact of the initiator on a single unit.
The on-going actions on the development of external hazards PSA and the recent incidents of loss of the heat sink induced by the ingress of vegetable matters and debris that occurred in France in 2009 have pointed out the need to improve the modelling of the loss of the heat sink initiating event and sequences to better take into account the fact that this loss may be induced by external hazards and thus affect all the site units.
The following paragraphs refer to 900 MWe PSA. However, some of the presented aspects are also valid for other French operating reactor types (1300 MWe or 1450 MWe reactors).
2. HEAT SINK GENERALITIES (900 MWE NPPs)
Maintaining reactors cooling in all situations is one of the main safety functions. Inside the pumping station, the raw water coming from the river or the sea is firstly filtered by a pre-filtering grid which is cleaned by a trash removal system and then filtered through rotating filters (chain filters or drum screens depending on the NPP sites), each one being equipped with a flushing system. This raw water supplies the cooling circuit of the safety systems of the nuclear island (essential service water system (ESWS)) and the cooling circuit of the conventional island.
201 NEA/CSNI/R(2014)9
The ESWS consists (for almost all the French PWR) in two redundant trains, each one equipped with two pumps designed to deliver 100% of the required flow-rate. The system is an open circuit system: the water pumped in the pumping station is transported up to heat exchangers and then returns to the river or the sea. Through these exchangers, the ESWS ensures the cooling of an intermediate, closed circuit system, called the component cooling water system (CCWS) of the nuclear island. The ESWS and the CCWS are systems important to safety.
CCWS ensures cooling of many systems and components important to safety:
the heat exchangers of the containment spray system (CSS),
the heat exchangers and pumps of the residual heat removal system (RHRS),
the heat exchangers of the fuel pool cooling and purification system (FPCS),
the reactor coolant pumps (thermal barrier and electrical motor),
the non-regenerative heat exchanger of the chemical and volume control system (CVCS),
the condensers of cooling systems DEG and DEL (respectively nuclear island and electrical building chilled water system),
the emergency ventilation system DVH dedicated to the ventilation of rooms housing the high head safety injection (HHSI) pumps.
As a consequence, a loss of the heat sink, in particular in case of natural hazards threatening the pumping station, leads to the loss of ESWS and may principally cause for reactors at power or in hot shutdown:
A small break LOCA at the primary pumps seals. Indeed, the non-regenerative heat exchanger of the CVCS is no longer cooled in case of loss of the heat sink. The water is discharged by the CVCS at an increasingly high temperature. If the letdown line is not isolated, by the automatism or by the operator, the hot water will reach the charging line. The filters upstream and downstream of the CVCS pumps are not designed to withstand such temperatures and are thus liable to be damaged and possibly form debris which, when injected into the primary pump seals, are liable to damage the pumps. If the intake temperature reaches or exceeds around 130°C, the CVCS pumps cavitate. In this case, injection at the seals is lost and thermal barriers of the primary pumps are no longer cooled by the CCW system. Damage of the primary pump seals may result in a primary system break.
Moreover, the primary pumps are automatically shutdown when the radial and thrust bearing lubricating oil temperature upper threshold of the primary pumps is reached (as the pumps are no longer cooled by the CCWS). If the primary pumps are not shut down, a small break LOCA will occur.
The loss of cooling of the CSS heat exchanger used to maintain the temperature of the water in the reactor building sumps below the design limit of the safety injection pumps.
If the reactor is in shutdown state, the loss of CCWS leads to the loss of the residual heat removal system.
In all the reactor states, the spent fuel pool cooling is also lost as a consequence of the CCWS failure.
202 NEA/CSNI/R(2014)9
3. RISKS ASSOCIATED TO THE LOSS OF THE ULTIMATE HEAT SINK
The total loss of the ultimate heat sink is a real risk which was not fully identified at the initial design of French plants. It was not included in the list of design basis accidents and was introduced after the design stage in the list of the multiple failures situations (“design extension”) considered in the safety demonstration.
The identification of the risks associated to a loss of the heat sink mainly comes from the insights of the level 1 PSAs. The main steps regarding the identification and treatment of this risk are presented hereafter.
3.1 Insights of the first Probabilistic Safety Assessments
PSAs provide a risk assessment method based on systematic investigation of accident scenarios, involving multiple failures likely to lead to consequences exceeding those of the design-basis operating conditions. Actually, PSAs have been extensively used in France as a complement to deterministic analysis to identify possible weak points in the conception. In particular, during the second half of the 1980’s, PSA for PWR 900 MWe developed at IRSN highlighted some scenarios induced by multiple failures, not identified at the initial design, which may have, however, a significant frequency.
Notably, scenarios induced by a total loss of the ultimate heat sink (due to a common cause failure of the water intake or the loss of all ESWS or CCWS trains), have been identified by PSA as leading to a significant core damage frequency. In the first PSA performed in 1990 by IRSN for the 900 MWe French NPP, the core damage frequency for the initiating event “loss of heat sink in full power" was assessed to 6E-06 /r.y..
The dominant core damage sequences corresponded to human errors to quickly isolate the letdown line before the degradation of the CVCS pump (or to perform actions necessary to maintain an injection to the primary pumps seals), leading to the occurrence of a leak at the seals and to the failure of the HHSI function (ensured also by the CVCS pumps) that is necessary to cope with the primary circuit leak.
On the basis of the level 1 PSA results obtained by IRSN and confirmed by the utility (EDF), several significant design and organizational improvements were implemented on 900 MWe NPPs:
improvement of accidental procedures and integration of a new strategy to cope with a loss of the ESWS. This strategy consists in using the thermal inertia of the refuelling water storage tank water (RWST) as an emergency heat sink for temporarily cooling the CCWS, throughout a CCWS/CSS heat exchanger. This temporary cooling allows the operation of one reactor cooling pump and one charging pump so that a safe state can be reached. The accident procedure - which was really applied for the first time in France during the incident of loss of the heat sink that occurred at Cruas 4 NPP in December 2009 - proved itself to be effective. This incident is presented in appendix;
implementation of an automatic isolation of the letdown line in order to protect the CVCS pumps,
replacement of the CVCS filters to improve their heat resistance.
The total loss of the ultimate heat sink has then been included in the list of the multiple failures accidents of the safety demonstration.
203 NEA/CSNI/R(2014)9
3.2 Impact of external hazards on the heat sink hazards
In the framework of the deterministic studies but also in the level 1 PSA, the loss of the heat sink has been studied for a single unit, considering a recovery time of the cooling of 100 hours with a probability of 95% (33 hours considered as the mean recovery time in the PSA based on an exponential statistical distribution).
However, in the framework of the periodic safety reviews, the list of the natural hazards and combinations of hazards to be considered in the safety demonstration and the characterization of the “design basis hazards” have been reviewed, considering the operating experience (extreme cold winters in 1985-1987, partial flooding of Le Blayais NPP during the 1999 severe storm, extremely high temperatures in 2003 and 2006, frazil in the pumping station in Chooz NPP in 2009…). Consequently, many improvements of the protection measure have been implemented at all French NPPs.
In addition, the initial assumption of the independence between external hazards and some accident situations such as a loss of the heat sink or a loss of the external electrical supplies has been reconsidered.
It has to be noted that, even if, initially, external hazards were considered as been independent from internal events accidents, studies performed in the framework of the periodic safety reviews have revealed that a correlation between the external hazards and internal events may exist. For example, the total loss of the heat sink may be induced by external hazard such as: extreme cold weather with frazil or ice blockage, ingress of vegetable matters, debris (leaves, algaes…) or hydrocarbon, external flooding at some sites (in particular when the flood carries debris and when the function of the filters and its flushing system are degraded in case of extreme flood), drought with very low level of the river…
Studies have been performed to analyze the types of accidents that may affect all the site units at the same time and for a long duration. These studies have brought about:
stronger requirements on the water inventory in the tanks necessary to refill the secondary water tanks of the auxiliary feed water system in case of a loss of the heat sink of long duration;
adaptation of the accident procedures in order to deal with multi-units loss of the heat sink and of the external electrical supplies;
improvement of the on-site emergency planning to deal with multi-units accidents, in particular in case of external hazards (with possible difficulties to reach the site and to circulate).
On the probabilistic point of view, the current situation in France is as follows:
As already mentioned, the modeling in the PSA of the loss of the heat sink initiator and the corresponding accident sequences didn’t explicitly consider that they are, in fact, induced by an external hazard.
Today, at IRSN, concerning hazards, priority is given to internal fire and internal flooding. However, developments are in progress in particular for earthquake and studies for different external hazards are expected from the utility for the next periodic safety review of operating NPPs.
204 NEA/CSNI/R(2014)9
4. UPDATE OF PSA MODELS AND FIRST RESULTS
During the third periodic safety review of the 900 MWe reactors, the modeling of the total loss of the heat sink in the level 1 PSA was updated by IRSN and EDF. It was the occasion for IRSN to better take into account the fact that a total loss of the heat sink, already modeled as an initiator of the level 1 PSA, may be induced by natural hazards.
The modeling assumptions and data, as the occurrence frequency of the loss of the heat sink induced by a natural hazard, the recovery time and the impact on the human actions necessary to deal with the accident, are not straightforward. The main assumptions (some of them being shared by IRSN and EDF and others not) and the results are presented hereafter.
4.1 Main assumptions
Characterisation of the initiating event
In French PSA, the occurrence frequency and the recovery time have been evaluated by expert judgement based on French and international operating feedback.
Even if the loss of the heat sink is treated in the “internal events” level 1 PSA independently from external hazards, its occurrence frequency (about 10-4/y.r.) and, to a lesser extent, its recovery time (33 hours) are assessed on the basis of some natural events that had challenged the pumping station at some sites, in particular during the very cold winters in 1985-1987. A consensus was found between EDF and IRSN PSA teams on these values already considered in the level 1 PSA. However, the analysis of the recent event of loss of the heat sink that occurred in France (Cruas in 2009; see appendix) is in progress in order to confirm or reassess these values, in particular the frequency, in the update of the loss of the heat sink model. It has to be noted that the duration of the loss of the heat sink in 2009 (10 hours) was covered by the value taken into account in the PSA.
In a second step, it will be relevant to consider longer recovery times of the heat sink in order to take into account the impact on the pumping station of some extreme hazards. The evaluation of longer loss of the heat sink in the PSA will be useful to assess the sufficiently of the complementary design and organizational measures defined in France on the basis of the conclusions of the “stress tests” performed after the Fukushima accident.
Multi-units impact
One of the major changes for the update of IRSN model of the loss of the heat sink is the assumption of the multi-units effects of the initiator. Indeed, if the loss is caused by a natural hazard, IRSN assumes that all the units may be affected (in particular the units with common pumping station or with neighboring water intakes). This rather conservative assumption is not shared by the utility EDF that studies the impact on only one unit. It must be noted that even if the cooling by the ESWS at Cruas was totally lost at only one unit, 2 of the 3 other units were also challenged (with partial loss of the ESWS).
The modeling of the impact on multi-units leads to consider in the PSA the following aspects:
the limited availability of water reserves for the secondary cooling, due to common reserves for several units and designed to cope with a loss of the ultimate heat sink at only one unit;
the impossibility to use the common means on site (as the ultimate site diesel generator or other ultimate devices) by more than one unit at the same time;
205 NEA/CSNI/R(2014)9
the impact on the human factor, as only one “safety engineer” is available for twin units;
the impossibility to use back-up by twin unit specific systems (as the charging line of the other unit which can be used by the first unit as a substitute for safety injection in some situations).
For the moment in the IRSN PSA, the simultaneously impact on the reactor and on the spent fuel pool has not been considered yet and will be dealt with in a second step.
Integrity of the primary circuit
As already mentioned, in case of loss of the CCWS, the thermal barriers of the main coolant pumps are no longer cooled and the water injection to seals by the CVCS pumps may be also unavailable. Thus, the primary pump seals may be damaged which can lead to a leak. Based on specific tests performed by the pumps manufactory, the leak rate per pump has been assumed (since the first PSA developed in France) for 900 MWe French NPP to be equal to 60 t/h with a probability of 0.2 and to 5 t/h with a probability of 0.8, when the pumps are shut down and when the primary system temperature is above 180°C. If the primary pumps are not shut down, the leak rate is assumed to be equal to 100 t/h with a probability of 1. Regarding these assumptions a consensus exists between EDF and IRSN PSA teams.
It has to be noticed that EDF is performing studies and tests, in particular in the framework of the improvements after the Fukushima accident, to identify the possible solutions to improve the pumps seals in order to ensure their robustness in case of loss of their cooling.
CVCS/HHSI pumps cooling
In the absence of cooling by the CCW system of the normal and safety ventilation systems of the rooms containing the CVCS pumps (systems DVN and DVH), it was assumed, on the basis of a study of the temperature variation in these rooms, that loss of the heat sink:
would not cause a loss of the CVCS pumps if the ventilation systems DVN and DVH continue to operate without cooling,
will causes the loss of the CVCS pumps (which are also the high head safety injection (HHSI) pumps for the 900MWe plants) when DVN system is unavailable and only the DVH system operates without cooling (for example in case of simultaneous loss of the heat sink and loss of the off-site electrical power supply which will lead to loss of DVN system, since this system is not supplied by the diesels generators).
Protection of the CVCS/HHSI pumps
The operator is required to perform two manual actions to ensure proper operation of the CVCS pumps in case of a loss of the heat sink (increasing the injection rate at the seals to ensure minimum pump flow and isolating the seals leak-off line which is no longer cooled).
It has been assumed that the failure of any of these actions will result in failure of the CVCS pumps and induce a loss of the injection to the primary pumps seals, as well as the loss of the HHSI function (ensured also by the CVCS pumps).
206 NEA/CSNI/R(2014)9
Cooling of the electrical compartments
It was assumed that in the absence of cooling of the electrical compartments ventilation system, the time available before reaching conditions prejudicial to proper operation of the electrical systems is sufficient to enable recovery of the heat sink or implementation of mobile cooling resources.
Accidental procedures
The PSA update considers the current symptoms-oriented procedures, instead of the previous events- oriented procedures.
Resistance of equipment in case of external hazards
At this stage, the update of the “loss of the heat sink model” focuses on the review of the functional assumptions and data used. The detailed nature of the external event which result in this loss is not taken into account. This first step of the future PSA model improvements will be to identify and characterize the reliability of the lines of defense against the external hazards (prevention and mitigation) and of the main equipment involved (affected by the hazard or needed to mitigate the effect of the hazard).
In a second step, IRSN plans to adapt the modeling to some external events. This difficult step will require deeper analyses on the impact of the hazard on the equipment (evaluation of the equipment robustness) and on the management of the situation (specific procedures used, specific difficult conditions for the operators, impact of the hazard on the site accessibility and the on-site emergency management, possible anticipation of some actions using a warning system…).
4.2 Results
The core damage frequency for the initiating event “loss of heat sink in full power" was assessed in the first PSA to 6E-06 /r.y. The dominant core damage sequence corresponded to the occurrence of a leak at the primary pumps seals with failure of the safety injection function.
In the updated PSA, considering multi-units impact, symptom oriented procedures and design improvements to limit the risks of primary leak in case of loss of the heat sink, the core damage frequency for the initiating event “loss of heat sink in full power" has been estimated to 5.5E-7 /r.y.
The dominant sequence in the updated PSA corresponds to the exhaustion of the secondary water reserves before the heat sink recovery (sequence due to multi-units consideration). In this situation where the cooling of the primary circuit by the secondary circuit is no more available, the feed and bleed procedure can’t be used to remove the decay heat due to the absence of the heat sink (indeed the CCWS is necessary to cool the containment spray system used to maintain the temperature of the water in the reactor building sumps below the design limit of the safety injection pumps).
The frequency of the sequence that used to be dominant in the first study (leak to the primary pumps seals) has been reduced due to the design and procedures improvements. The efficiency of the new procedures and design has been shown during the 2009 Cruas incident.
5. CONCLUSION
The total loss of the heat sink was not initially addressed in the safety demonstration of French NPPs. On the basis of the insights of the first probabilistic assessments performed in the 80’s, the risks associated to this “multiple failure situation” turned out to be very significant and design and organisational improvements were implemented on the plants.
207 NEA/CSNI/R(2014)9
Reviews of the characterization of external hazards and of their consequences on the installations and French operating feedback have revealed that extreme hazards may induce a total loss of the heat sink. Moreover, the accident that occurred at Fukushima in 2011 has pointed out the risk of such a loss of long duration at all site units in case of extreme hazards.
In this context, it seems relevant to further improve the modelling of the total loss of the heat sink by considering the external hazards that may cause this loss. In a first step, IRSN has improved the assumptions and data used in the loss of the heat sink PSA model, in particular by considering that such a loss may affect all the site units.
The next challenge will be the deeper analysis of the impact of external hazards on the equipment necessary to cope with the loss of the ultimate heat sink.
208 NEA/CSNI/R(2014)9
APPENDIX: INCIDENT AT CRUAS 4 IN 2009 - TOTAL LOSS OF THE HEAT SINK (IAEA/NEA IRS N. 8068)
The Cruas site has two twin-unit plants, i.e. four 900 MWe PWR reactors. Each pair of plant units has a common pumping station: one station for plant units 1/2 and one for plant units 3/4.
During the night of December the 1st, 2009, a massive amount of vegetable matter (around 50 m3 compared with a monthly average of 5 m3) blocked the water intake of the common pumping station of Cruas NPP units 3 and 4, by clogging the pre-filtration trash racks. The fall in the water level between the pre-filtration and the rotating drum screens made unavailable one of the two trains (train A in operation) of the essential service water system (ESWS) of plant unit 4. This led the operator EDF to shut down reactor 4 by dropping control rods, in application of the incident situation procedures. Then, EDF switched the ESWS onto the other train (train B) that was also unavailable because of the lack of water intake. Unit 4 was therefore in a situation of total loss of the heat sink, the first time in France.
Unit 4 was brought into a fallback state in normal shutdown, the reactor being cooled by steam generators, with the primary circuit at the conditions allowing to connect the residual heat removal system (RHRS), but with RHRS unconnected. To temporarily cool the component cooling water system (CCWS), a specific operation strategy (mentioned in the procedures) was implemented, using the thermal inertia of the refuelling water storage tank (RWST) throughout a heat exchanger and a pump of the containment spray system (CSS).
The on-site emergency organization was activated. National emergency organizations were also activated afterwards, involving several emergency teams: national crisis teams from EDF and from public authorities (French Safety Authority (ASN) and IRSN).
During the incident, cleaning operations of the pre-filtration trash racks and of the filtration drum screens were continuously performed. The monitoring and protection means existing in the Cruas pumping stations were unable to ensure the ESWS supply. Furthermore, the means of cleaning of the systems ensuring the pre-filtration and filtration of the raw water from the river Rhone, installed on the site in a fixed and durable manner, were not sufficient to cope with this situation. This necessitated resorting to mobile means, as a trash removal truck for cleaning the pre-filtration trash racks, as well as collection trucks to aspirate and store the waste from the rotating drum screens.
The total loss of heat sink of unit 4 lasted 10 hours.
Other plant units were also impacted by the clogging of the trash racks: plant units 2 and 3 partially lost their heat sink.
209 NEA/CSNI/R(2014)9
210 NEA/CSNI/R(2014)9
Modeling of Seismically induced Multiple Rare Events in PSA of Indian NPPs M. Hari Prasad*, Gopika Vinod, A. Ravi Kiran, R. Rastogi, M. K. Agrawal, R.K. Singh and K. K. Vaze Reactor Design and Development Group, Bhabha Atomic Research Centre Trombay, Mumbai, INDIA-400 085. Email: [email protected]
ABSTRACT The possibility of long term loss of offsite power (LOOP) along with seismic event in the safety analysis of Indian Nuclear Power Plants (NPPs) has been one of the important considerations, which has further gained greater momentum after Fukushima event. This has resulted in modeling multiple rare events, such as LOOP and loss of coolant accident (LOCA) in the external event Probabilistic Safety Assessment (PSA) studies. In this paper a general procedure for modeling seismically induced multiple rare events in PSA of nuclear power plants is presented. A Case study on simultaneous occurrence of seismically induced Class-IV power supply failure along with occurrence of LOCA and seismically induced station black out event have been analyzed.
Key words: External events, PSA, LOCA, hazard curve, seismic fragility, fault trees, event trees, accident sequence, Core damage frequency.
1. INTRODUCTIO N The recent Fukushima accident has posed several challenges to nuclear community with respect to safety of the Nuclear Power Plants (NPPs) during simultaneous occurrence of Seismic and Tsunami events, multiple failures of safety systems and maintaining the long term sub criticality during these events. This has resulted in modeling of multiple rare events during seismic events in Indian Pressurized Heavy Water Reactors (PHWRs). Indian PHWRs consists of a low-pressure horizontal reactor vessel called calandria containing heavy water moderator at near ambient pressure and temperature. The calandria houses large number of pressure tubes, which contain the fuel bundles, and through which pressurized heavy water coolant circulates. Safety is given utmost importance in Indian NPPs. Hence, Probabilistic Safety Assessment (PSA) is an integral part of safety assessment. Even though, PSA is not mandatory from regulatory point of view, as a good practice level 1 PSA (full power internal events) is performed for all Indian NPPs which is regularly reviewed by regulatory body. In addition, as a part of full scope PSA external events such as fire and seismic also considered for most of the plants. Recently multi unit site PSA is also an emerging concern for Indian NPPs. In general, the plant consists of normally operating and emergency standby systems and components. The failure of systems during an earthquake will lead to a change in the state of the plant and various scenarios can follow depending on the initiating event and the status of other sub-systems. In this case, the earthquake is the external initiating event, which in turn can initiate other internal events as shown in the Figure 1. This paper presents a general procedure for modeling the simultaneous occurrence of seismic events along with multiple system failures. Various sites are studied for seismic vulnerability. A typical case study is presented in this paper. A case study on seismically induced loss of off-site power along with occurrence of LOCA and the related safety systems failures is discussed. The present analysis is based on seismic PSA procedure. Seismic PSA evaluation process can be divided into seismic hazard evaluation, seismic fragility evaluation and accident sequence analysis [1] and are explained in the following subsections.
211 NEA/CSNI/R(2014)9
External Internal + Other Initiating Event Initiating Events (Earthquake)
• Loss of Offsite Power • LOCA • Process Water System Failure • End Shield Cooling System Failure • Moderator Cooling System Failure • Service Water System Failure • Many other Internal IEs • Seismic Flooding (Tsunami) • Seismically Induced Fire
Figure 1: Seismic with Internal Initiating Events
2. SEISMIC HAZARD EVALUATION The seismic hazard analysis refers to the estimation of the annual frequency of a hazard parameter such as the Peak Ground Acceleration (PGA), which characterizes the ground motion at a nuclear power plant site. The seismic hazard model takes into account the seismic history of the region, potential sources of seismic activity, rates of occurrence of earthquakes from these sources, maximum magnitudes, and attenuation of earthquake ground motion from the source to the site. The basic steps used in the Probabilistic Seismic Hazard Analysis (PSHA) [2-5] are shown in Figure 2. Following attenuation relationship has been used in developing hazard curve for typical Indian NPP site [6, 7]. (0.483M ) 1.17 Pga(g) = 1.04 e (R + 30) (1) The effects of all the earthquakes of different sizes, occurring at different locations in different earthquake sources at different probabilities of occurrence are integrated into one curve that shows the probability of exceeding different levels of ground motion levels at the site for a given period of time. The annual frequency of exceedance can be expressed as N mu r0 z m f m f r P Z z m m , r dr dm (2) ν ( ) = ∑υi ( 0 ) M ( ) R ( ) [ > ≥ 0 ] i=1 ∫∫m0 d in which υ(m0) = the annual frequency of occurrence of earthquakes on seismic source ‘n’ whose magnitudes are greater than m0 and below the maximum event size, mu. P(R=rj| mi) = fR(r )= the probability of an earthquake of magnitude mi on source ‘n’ occurring at a certain distance rj from the site P(M=mi) = fM(mi) = the occurrence probability of an earthquake of magnitude mi on source ‘n’ P(Z>z | mi,rj) = the probability that ground motion level z will be exceeded, given n earthquake of magnitude mi at a distance of rj from the site. The hazard curve of the site under study [8, 9] is shown in Figure 3.
3. SEISMIC FRAGILITY EVALUATION The seismic fragility of a structure or equipment component is defined as the conditional probability of its failure for a given level of seismic input parameter, typically the peak ground acceleration (PGA). In the fragility evaluation, the conditional probability of component failure is determined by considering the capacities of the components in various failure modes. Seismic-induced fragility data is generally unavailable for components and structures. Thus, fragility curves must be developed primarily from analysis combined heavily with engineering judgment supported by available very limited test data. Such fragility curves will contain a great deal of uncertainty. The uncertainty can
212 NEA/CSNI/R(2014)9
be of aleatory or epistemic in nature. The aleatory uncertainty can be represented with the help of probability distributions and the uncertainty in the parameters of the distributions is of epistemic in nature. The fragility curve for any component can be defined with the help of its median ground acceleration capacity, Am, and the corresponding uncertainties βR (aleatory) and βU (epistemic). Hence, the probability of failure (Pf) at a non exceedance probability (Q) can be expressed as [10]: ⎡ ⎛ a ⎞ ⎤ 1 ⎜ ln⎜ ⎜ + β u φ (Q)⎜ ⎜ Am p = Φ ⎝ ⎠ ⎜ 3 f ( ) ⎜ β R ⎜ ⎜ ⎜ ⎜⎣ ⎜⎦ If both the uncertainties are combined together then the probability of failure can be given as follows: ⎡ ⎤ ⎛ a ⎞ ⎜ ln⎜ ⎜ ⎜ A p = Φ⎜ ⎝ m ⎠ ⎜ (4) f ⎜ β ⎜ C ⎜ ⎜ ⎜⎣ ⎜⎦ where 2 2 β = β + β C R U in which Φ(.) is the standard Gaussian cumulative function.
Fault
F1
F2
Area Source
(a) Step 1 (b) Step 2
Magnitude M1
Data M M
(c) Step 3 (d) Step 4
Figure 2: Different steps of Probabilistic Seismic Hazard Analysis
213 NEA/CSNI/R(2014)9
Figure 3: Hazard Curve for a typical NPP Site
4. ACCIDENT SEQUENCE ANALYSIS Seismic events are treated as initiating events that can cause adverse impacts on support systems, front line systems and structural integrity. The method of dealing with these various challenges is to use a single event tree for many of the consequential seismic events. The initiating event for the seismic event trees is the occurrence of seismic event and whenever seismic event occurs it will in turn initiate other internal events like loss of offsite power, LOCA, loss of process water systems etc. Hence, event trees should be generated for all the initiating events and dominating accident sequences should be identified for the Core Damage Frequency (CDF) estimation.
4.1. Seismic Event Trees As discussed above in seismic event trees, seismic event is the initiating event and the other internal initiating events are due to seismic event. As a case study event tree for seismically induced Class IV power supply failure as well as LOCA has been developed and is shown in the Figure 4.
4.1.1 Key modeling assumptions Primary heat transport system failure, which is postulated along with seismic initiating event, considers only the failure of steam generator (SG) inlet piping, SG out let piping and pump discharge line (failure can occur in any one of these pipe lines). It is assumed that structural integrity of feeders and headers is intact. No credit for moderator is considered in LOCA scenario.
4.1.2 Event description Upon failure of Class IV power, reactor trips on ‘No Primary Coolant Pump running’. High primary heat transport (PHT) Pressure trip will follow if the first trip parameter fails. This leads to the actuation of Reactor Protection System (RPS), initially with Shutdown System (SDS-1) and with SDS-2, if SDS-1 fails. Emergency power supply (EPS) i.e., Class III is 6.6 KV system with 4 DG sets. If Class III is available and there is no failure in PHT System, the mode of decay heat removal and long term reactivity control will be same as normally followed with decay heat removal systems (DHRS) such as Secondary Steam Relief System (SSR), Auxiliary Boiler Feed Water System (ABFWS) and Shut down Cooling System (SDCS). If there is a failure in decay heat removal systems, core cooling will be achieved through valving in of fire water system (FWS). If there is a failure of PHT then emergency core cooling system (ECCS) will be actuated. ECCS will be operated in two modes one is in injection mode (ECCI)
214 NEA/CSNI/R(2014)9
and other one is in recirculation mode (ECCR). Class IV failure followed with complete loss of Class III failure leads to a Station Blackout scenario. During station black out scenario, if there is no failure in Primary Heat Transport System, core cooling will be achieved through valving in of Fire water system. If there is a failure of PHT, ECCS will be actuated. The dominating accident sequences, in terms of consequences, are given below and the corresponding event tree is shown in Figure 4. • Seismic-Class IV-PHT-ECCR • Seismic-Class IV-PHT-ECCI • Seismic-Class IV-EPS-PHT • Seismic-Class IV-EPS-PHT-ECCI • Seismic-Class IV-RPS
Figure 4: Seismic Event tree of Class IV failure and LOCA occurrence
4.2 Seismic Fault Trees In evaluating the accident sequence frequency from the seismic event trees one should have the information about the initiating event frequency and the seismically induced failure probabilities of process systems and safety systems. Initiating event frequency (frequency of occurrence of seismic events) can be derived from hazard curve analysis as explained in the previous sections and the seismically induced failure probabilities of systems can be evaluated by developing seismic fault trees. Unlike the traditional fault trees, these fault trees will consist of component failures mainly from structures point of view. The fault trees are developed based on the assumption that components of a similar design, located at the same elevation and with the same orientation will fail in a given seismic event if one of these groups fails and are considered as a single component. The failure probability contribution from the random failures of the components has not been considered in the analysis. Once the seismic fault trees are developed, next step is to develop component fragilities depending on their seismic capacities [11, 12] as explained in the previous section. In finding out the seismic capacities of the components one has to perform seismic response analysis. The system fragility curve can be generated from the component fragilities depending on the system configuration and its failure criteria. This can be well represented with the seismic fault trees. Seismic fault trees of Class-IV power supply system, RPS (SDS-1 and SDS-2), ECCS (injection & recirculation mode), Class-III power supply system are explained briefly in the following subsections.
215 NEA/CSNI/R(2014)9
4.2.1 Class-IV power supply system Class-IV power supply is derived from 220 KV grid through start-up transformer and from the turbo generator 400 KV system through generator transformer and unit transformer. The most fragile components for the offsite grid and delivery system are ceramic insulators in the switchyard. The fragility of these components significantly dominates the failure of the system. The fragility curve of Class-IV system is shown in the Figure 5.
4.2.2 Reactor Protection System There are two fast acting independent shutdown systems provided as part of the reactor protective system (RPS), viz., primary and secondary shutdown systems. Primary shutdown system (SDS-1) is the primary means for reducing the reactor power from full power to sub-critical state during operating condition as well as in accident conditions. The PSS consists of a set of mechanical rods and a driving mechanism at the top of the reactor. The secondary shut down system (SDS-2) which serves as a stand-by provides fast injection of liquid poison in a set of vertical tubes located inside the core. The seismic fault tree of SDS-2 is shown in the Figure 6. The corresponding fragility is shown in the Figure 5.
4.2.3 Class III power supply system The system consists of 4 nos. of diesel generator (DG) sets each of 50% capacity. This system derives its power from Class-IV system under normal operating conditions. When normal supply fails DG sets will be able to meet the station emergency loads. Any two DG sets will meet emergency load of one unit. Each DG set is provided with compressed air starting system. Fuel oil is supplied from a day tank with sufficient capacity for 8 hours of full load operation of the DG set. Engine jacket cooling, lube oil cooling and turbo charger cooling is by DM water in a closed loop system through jacket water heat exchanger. Secondary side of jacket water heat exchanger is provided with cooling water from non active process water (NAPW) system. The corresponding fragility curve is shown in the Figure 5.
4.2.4 Emergency Core Cooling System (ECCS) The ECCS is designed to provide enough coolant to the primary heat transport system (PHT), so as to ensure adequate core cooling during accident conditions, thereby avoiding any significant fuel failure. ECCS consists of a high pressure light water injection system and a long term recirculation system. One N2 gas accumulator and two light water accumulators are provided to supply emergency coolant to the core as a part of ECCS high pressure injection. ECC recirculation ensures prolonged cooling to remove decay heat from core. The system consists of 4 pumps and 3 plate type heat exchangers. These pumps take suction from suppression pool water in the reactor building basement. The corresponding fragility curves are shown in the Figure 5.
4.2.5 PHT Piping In the present analysis in evaluating the probability of occurrence of large break loss of coolant accident (LBLOCA) the following piping components have been considered in evaluating the fragility of the PHT piping viz., steam generator inlet piping (SGI), steam generator outlet piping (SGO) and piping corresponding to pump discharge line (PDL). The estimation of probability is done using the principles of “probabilistic fracture mechanics”. A cracked pipe is considered in evaluating the probabilistic estimate. The size of the crack (leakage size crack) is such that it is detected by leakage detecting instruments with sufficient factor of safety. The fragility curve of the same is shown in the Figure 5.
4.3 Accident Sequence Evaluation In this step accident sequence frequency is calculated by convoluting both seismic hazard curves and the fragilities of the corresponding systems as given in equation 5 and is also illustrated in Figure 7. ∞ ⎛ dH ⎞ PF = p f da (5) ∫ ⎜ da ⎜ 0 ⎝ ⎠
216 NEA/CSNI/R(2014)9
Where H is Hazard curve, a is PGA level, pf is conditional failure probability at a given PGA level and PF is the total failure frequency. The list of dominating accident sequences and their corresponding frequencies are given in the Table 1. Each dominating accident sequence frequency is evaluated by convoluting the seismic hazard of the site under consideration and the corresponding system fragilities that are present in that sequence. In order to validate whether the PGA’s of all the ranges have been considered in the analysis or not a graph between PGA vs CDF has been plotted and is shown in the Figure 8. The CDF from the seismically induced Class-IV power supply failure is estimated as 6.40x10- 7/yr. The frequency of simultaneous occurrence of seismic event, LOOP and LOCA and failure of ECCI is estimated as 5.24 x 10-7/yr. The CDF from internal events is estimated as 7.72 x 10-6/yr.
Figure 5: Fragility Curve of Class IV, RPS, Class III, ECCS, ECCR and PHT piping
217 NEA/CSNI/R(2014)9
Figure 6: Seismic fault trees of SDS-2
Figure 7: Convolution of seismic hazard and fragility curves
218 NEA/CSNI/R(2014)9
Figure 8: Graph between PGA vs CDF
Table 1: Accident sequences and their frequencies S.No. Accident Sequence Frequency (/yr) -8 1 Seismic-Class IV-PHT-ECCR 9.31 x 10 -7 2 Seismic-Class IV-PHT-ECCI 5.24 x 10 -12 3 Seismic-Class IV-EPS-PHT 5.06 x 10 -13 4 Seismic-Class IV-EPS-PHT-ECCI 1.98 x 10 -8 5 Seismic-Class IV-RPS 2.27 x 10
5. CONCLUSIONS A general procedure for modeling seismically induced multiple rare events is explained. A case study on seismically induced LOOP along with occurrence of LOCA has been analyzed. Seismic event tree for the same has been developed. In finding out the system failure probabilities seismic fragilities at component level later on system level has been developed based on the corresponding seismic fault trees. Seismic fault trees are developed only for those systems which are appearing in the dominant accident sequences and whose contribution towards CDF is more. Finally, the accident sequence frequency is calculated by convoluting both seismic hazard curves and the fragilities of the corresponding systems. The frequency of simultaneous occurrence of seismic event followed by LOOP, occurrence of LOCA and failure of ECCI is estimated as 5.24x10-7/yr. The estimated CDF from the seismically induced failure of Class-IV power supply failure is- 6.40x10-7/yr. However, for estimating total contribution to CDF from a seismic event, other initiating events may also need to be considered.
REFERENCES 1. Kennedy, R. P., Cornell, C.A., Campbell, R.D., Kaplan, S., Perla, H. F. (1980) “Probabilistic seismic safety study of an existing Nuclear Power Plant”, Nuclear Engineering and Design, 59, 315-338. 2. Steven L. Kramer (2003). Geotechnical Earthquake Engineering, University of Washington, Prentice- Hall International Series in Civil Engineering and Engineering Mechanics. 3. IAEA-TECDOC-724 (1993), “Probabilistic Safety Assessment for seismic events”, IAEA, Vienna. 4. McGuire R.K (1995). Probabilistic seismic hazard analysis and design earthquakes: Closing the loop. Bull. Seism. Soc. America, Vol. 85 (5), 1275-1284. 5. Paolo Bazzurro, Allin Cornell C (1999). Disaggregation of seismic hazard. Bull. Seism. Soc. America, Vol. 89 (2), 501-520. 6. A. K. Ghosh, K. S. Rao & H. S. Kushwaha (1998), “Development of spectral shapes & attenuation relations from accelerograms recorded on rock and soil sites”, BARC external report, BARC/1998/E/016.
219 NEA/CSNI/R(2014)9
7. AK Ghosh and HS Kushwaha (1998), “Sensitivity of seismic hazard to various parameters and correlations for peak ground acceleration”, BARC external report BARC/1998/E025. 8. A. K. Ghosh, K. S. Rao and H. S. Kushwaha (2003), “Development of uniform hazard response spectra for Tarapur, Trombay and Kakrapar sites”, BARC external report, BARC/2003/E/019. 9. A. K. Ghosh (2006), “Probabilistic seismic hazard analysis for a site”, Nuclear engineering and design, vol. 236, pp. 1192-1200. 10. Kennedy, R. P., and Ravindra, M. K. (1984), “Seismic fragilities for Nuclear power Plant risk studies”, Nuclear Engineering and Design, 79, pp. 47-68. 11. Kennedy, R. P., Campbell, R. D., and Kassawara, R. P. (1988), “A seismic margin assessment procedure”, Nuclear Engineering and Design, 107, pp. 61-75. 12. PFBR/14110/DN/1000 (2003). “Seismic studies and design basis ground motion parameters for Kalpakkam site”, PFBR, 2003.
220 NEA/CSNI/R(2014)9
PSA MODELING OF LONG-TERM ACCIDENT SEQUENCES
Gabriel Georgescua*, Francois Corenwindera and Jeanne-Marie Lanorea aInstitute for Radiological Protection and Nuclear Safety, Fontenay-aux-Roses, France
Abstract:
In the context of the extension of PSA scope to include external hazards, in France, both operator (EDF) and IRSN work for the improvement of methods to better take into account in the PSA the accident sequences induced by initiators which affect a whole site containing several nuclear units (reactors, fuel pools,…). These methodological improvements represent an essential prerequisite for the development of external hazards PSA. However, it has to be noted that in French PSA, even before Fukushima, long term accident sequences were taken into account: many insight were therefore used, as complementary information, to enhance the safety level of the plants. IRSN proposed an external events PSA development program. One of the first steps of the program is the development of methods to model in the PSA the long term accident sequences, based on the experience gained.
Keywords: External Events, Long Term, PSA
1. INTRODUCTION
The worldwide operating experience shows that external hazards are a threat for the safety of nuclear installations. Notably, they have the potential to cause initiating events and simultaneously to impair the safety systems necessary to limit the consequences of the initiating events.
In France several external events occurred, with the potential to threaten nuclear safety. The most significant one was the partial flooding of the Blayais NPP in December 1999 when, during a severe storm, high waves overtopped a protective dyke surrounding the site and partly submerged some areas. This event raised the questions of the design bases used for the protection of nuclear power plants against external flooding and the efficiency of the existing measures, especially the warning systems, the site protection measures, the protection of safety-related equipment, the procedures and the emergency organization.
Also, some other significant external events affected French NPPs:
December 2005 - Paluel site: ice formation on the grid transformers leading to shutdown of all four reactors and isolation from the external power supply,
December 2009 - Cruas units 3 and 4: total loss of the heat sink occurred due to the clogging of the pumping station filters due to a massive arrival of vegetable matters,
December 2009 - Fessenheim unit 2: partial loss of heat sink occurred due to the clogging of the pumping station filtering drum screens due to vegetable matters.
It has to be noted that the identification of the risk of core damage related to the total loss of the ultimate heat sink, during the 80’s, as highlighted in the probabilistic safety assessments, led to define some operating and design modifications to cope with such a situation. Finally, these plant improvements enabled to handle the 2009 Cruas site incident (mainly due to the use of the thermal inertia of the refueling
221 NEA/CSNI/R(2014)9
water storage tank water reserve as an emergency heat sink for temporarily cooling the component cooling water system, throughout a containment spray system heat exchanger).
These recent incidents related to the external events remind us that environmental conditions, changing over time, may challenge the safety of nuclear reactors and highlight the need for better assessment of the risk related to external hazards. In particular the scope of the PSA should be extended, including all relevant external events and their combinations. In this context, both operator (EDF) and IRSN work, in addition to the review of deterministic bases and studies on external events, on probabilistic aspects related to external events PSA: hazards screening analysis, SSC fragility assessment, Human Reliability Assessment (HRA)… and on the improvement of methods to better take into account in the PSA the long term of accident sequences induced by initiators which may affect the whole site containing several nuclear installations (reactors, fuel pools,…).
Fukushima accident has confirmed the importance and the imperativeness of these external hazards analyses, including external events PSA developments.
At short term, IRSN intends to enhance the modeling of the “long term” accident sequences induced by the loss of the heat sink and/or the loss of external power supply. The objective of this action is to get a tool to verify similar studies which will be developed by EDF.
The IRSN “long term” studies will be also useful for the assessment of the safety impact of the French plant improvements decided in the frame of post-Fukushima assessments. The basis of the methodology for these studies consists on the methodological aspects defined by EDF for its Flamanville 3 EPR “extreme wind” PSA Level 1 study, enhanced by IRSN experience.
2. AVAILABLE PSA GUIDANCE TO MODEL LONG TERM ACCIDENT SEQUENCES
Although the safety demonstration of the French Nuclear Power Plants has been and remains deterministic, the probabilistic approach takes an increasing place in safety decisions. Despite a limited regulatory framework, in fact the risk insights are more and more taken into consideration as a supplement to the traditional deterministic demonstration.
At the beginning of the French nuclear program, PSA was not a regulatory requirement. Probabilistic studies were first developed on a voluntary basis by both the regulator technical support (IRSN) and by the operator (EDF). Partial probabilistic studies were carried out by EDF and IRSN since the 1970s and two global level 1 internal events PSAs were completed in 1990 (for the 900 MWe plants by IRSN and 1300 MWe plants by EDF).
In order to clarify the acceptable approaches, the French nuclear safety authority (Autorité de sûreté nucléaire - ASN) requested the issuing of a Basic Safety Rule on “Development and Use of Probabilistic Safety Assessments” [1] which was published in 2002. The purpose of this rule was to define acceptable methods for the development of PSAs and proven applications of PSAs for operating or future pressurized water reactors (PWR) of the French nuclear power program, incorporating available French and international experience in this area. An important point is that the Basic Safety Rule introduces the notion of “Reference PSA”, which has to be developed by the operator for each plant series and reviewed by the regulators and their technical support (IRSN). The reference PSA “minimum scope” is a level 1 PSA, covering all internal initiating events, as well as the loss of ultimate heat sink and the loss of offsite power. All plant operating states should be analyzed in the reference PSA. It has to be noted that the loss of ultimate heat sink and the loss of offsite power are initiating events that may be induced, typically, by external hazards. Thus, they may affect simultaneously all site units.
222 NEA/CSNI/R(2014)9
Regarding the duration of the accident sequences, the Basic Safety Rule (BSR) indicates that the PSA should consider the time necessary to reach the success state. However, a common duration time is generally adopted for the majority of the accident sequences (i.e. 24 hours), except in case of initiating events of external origin. Nevertheless, the BSR states that, in certain cases, it is necessary to take into account events that would occur inevitably later or failure modes specific to equipment’s that are not used in the short term and therefore to study the accident sequences on the long term. In order to establish realistic scenarios, for sequences were core damage occurs in the medium or long term, the various restoration options may be taken into account. These restorations may involve repair of components of a system, failure of which contributes to the initiating event or aggravates its consequences, or a manual intervention to implement the appropriate strategy. The time between system failure and core damage can be used in the PSA to process the repair of one of the systems whose failure is involved in the accident sequence studied.
In fact, as stated in the Basic Safety Rule, the reference PSA can be supplemented by complementary specific studies. For example the following situations may be studied: sequences over a longer period of time after the initiating event occurrence and accident sequences taking into account the consequences of the initiating event on all site units. The possible incorporation of the special studies into the baseline PSA and the associated modeling approach (simplification of the special studies, for example) are decided on a case-by-case basis, when the reference PSA is updated. Finally, the term “the PSAs” represents the package constituted by the baseline PSA and the special studies.
Moreover, for new reactors the role of PSA is more important. The Technical Guidelines for the design and construction of the next generation of NPPs with Pressurized Water Reactors adopted by ASN [2] requests for new reactors the performance of a PSA since the design stage, considering a list of initiating events. This list should be as complete as possible and representative of all sequences already analyzed in French PSAs and should include all plant operating states. In this document it is stated that, at the design stage, the use of simplified models and generic data as well as the limitation of calculations to a duration of 24 hours can be sufficient to provide valuable insights as a first step, however, even at the conceptual stage, it is appropriate to investigate specific events which could occur after 24 hours (e.g. refilling of a tank) in order to demonstrate the absence of cliff-edge effects. Moreover, the Technical Guidelines state that, at a later stage, the designer would have to identify clearly the initiating events which could lead to a loss of offsite power or a loss of the ultimate heat sink with long duration. In particular, due attention has to be paid to external hazards which would require long mission times for some systems (long duration of the hazard or long duration of the accident sequences induced by a “short” hazard). Also, the Technical Guidelines state that, in the context of probabilistic studies, the possibilities of a long loss of offsite power or a long loss of ultimate heat sink durations have to be investigated precisely for a given site.
3. EXISTING LONG TERM FRENCH PSAs
Traditionally, in level 1 PSAs, the accident sequences are treated for a mission time of 24 hours, the long term of the accident sequences being taken into account in a simplified manner. For example, some of the mitigation measures which are needed at long term (refilling of water tanks, systems recovery, operator actions decided by the emergency teams, external support…) are credited in the PSA, but the analysis and the associated failures probabilities quantification are estimated based on generic and simplified assessments.
However, it is important to note that, in the French PSA, even before Fukushima accidents the long term accident sequences were already modeled, many insight being used, as complementary information, to enhance the safety level of the plants. These studies are summarized in the following paragraphs.
223 NEA/CSNI/R(2014)9
For example, beginning with the very first PSA study (in 1990) IRSN tried to avoid too many simplifying assumptions on the sequence development time. The sequences were developed completely, either to the point of core meltdown or to a state in which the risk can be considered as negligible. In order to decide that the risk can be considered as negligible, the post-accident situations of long durations were taken into account. Particularly, for Loss of Coolant Accidents (LOCAs), the long-term phase lasting as long as one year was considered for large LOCA. The study of long term scenarios highlighted problems concerning the reliability and the strategies to use specific equipment and features provided for this type of situation, such as the use of mobile devices or interchanging components between systems (like for example, exchanging pumps between low pressure injection system and containment spray system). To make sure that the scenarios were realistic for the long-term sequences it was necessary to allow the possibility of recovery. Recovery may consist of system repair (particularly when the initiating event is the failure of the system) or human intervention to apply a procedure or implement a recovery strategy.
Later, in the updated PSA studies, IRSN considered also that a common duration of 24 hours for all accident sequences can be too reductive and, consequently, IRSN studied some of the accident sequences by defining decoupling criteria based on a “good” availability and redundancy of the remaining mitigation means. For example, for the situations that needs a primary safety injection, a 48 hours duration was considered, corresponding to the necessary time to put in place the mobile means in order to have redundant mitigation means in case of a failure of the safety injection or the containment cooling systems during the long term operation. In the same way, for other type of accident sequences where the Residual heat removal system is used as mitigation mean, a 96 hour duration has been considered for the accident sequences modeling, corresponding to the capacity of the alternative means (spent fuel pool cooling system) to cope with the failure of the Residual cooling system.
In the above mentioned studies, the durations higher than 24 hours considered for the quantification of the reliability of the systems, was not the only way to take into account the long term effects. IRSN PSAs also study other aspects related to the long duration of the accident sequences, notably:
the availability of the water resources needed at long term, like the demineralized water reserves for the secondary auxiliary feed water system,
the time available before failure of the electrical and control systems due to the loosing of cooling systems (for example, in case of loss of the ultimate heat sink),
the role of the emergency organization.
However, the mentioned IRSN PSA studies only considered the reactor and did not take into account the fact that, in some situations, both reactor and spent fuel pool may be simultaneously affected by the initiator. Moreover, the impact on multiple reactors on the site is considered only in a limited manner (availability of water resources).
EDF also developed several long term studies, mainly in the frame of the Flamanville 3 EPR project. In 2006, for the construction license application (preliminary safety report [3]), EDF developed Level 1 PSA long term studies for:
loss of cooling chain and loss of heat sink (with a maximum of 100 hours considered for recovery time, corresponding to a conventional value),
224 NEA/CSNI/R(2014)9
loss of offsite power (with a maximum 192 hours considered for recovery time, corresponding to a loss of offsite power induced by an external event except earthquake8).
The objective of these studies was to verify that, considering accident sequence durations longer than 24 hours, no cliff edge effects on the core damage frequency were induced. The studies were developed in a similar manner as a traditional PSA, but specifics functions for a long term probabilistic study were also integrated, like: initiators recovery, diesel generators repair, water tanks refilling, etc.. These studies showed the importance of the refilling function of auxiliary feed water tanks from the demineralized water system. As a consequence the safety classification of this function was upgraded. The studies also highlighted the importance of the reliability of the diesel generators and of the possibilities to repair them during the accident. It has to be noted that the studies were developed only for the reactor, the interaction with the spent fuel pool was not considered. Moreover, in the study the loss of offsite power and the loss of heat sink are considered as independent, the possible combinations was not analyzed.
As a complement of these two studies, EDF developed in 2010, as part of the integration of the external events in the Level 1 PSA, a study for the “extreme winds” hazard. This study was developed in the frame of the operating license application of Flamanville 3 NPP. The study considers the simultaneous loss of the heat sink and loss of offsite power induced by an extreme wind. The duration of the accident sequences considered is 100 hours. The possibility to recover the heat sink or the offsite power is considered in the study, as well as the repair of the diesels. The study also considers the impact on the reactor and on the spent fuel pool, taking into account, for example, the fact that some of the systems or water reserves are shared between these two installations. The results showed the importance of the strategy followed by the operators in case of simultaneous loss of the heat sink and loss of the offsite power affecting the reactor and the spent fuel pool at the same time. Even if this study is specific of an “extreme wind” hazard, in fact the developed methodology can represent a more general framework for treating long term accident sequences induced by external hazards and affecting more than one nuclear installation.
4. METHODOLOGICAL INSIGHTS FOR LONG TERM PSA MODELING
Today, both, EDF and IRSN work to improve the PSA methods to include the external events. These methods concern mainly:
hazards screening analysis,
hazards frequency assessment,
SSC fragility analysis for different type of hazards,
HRA taking into account the crisis organization and the organizational factors, etc..
One important identified prerequisite is represented by the development of the methods to analyze the long term of the accident sequences induced by initiators which mays affect more than one installation on the site.
The experience gained by IRSN and EDF after the development of several studies treating long term accident sequences shows that the simple extension of the mission time of the mitigation systems from 24 hours to longer times is not sufficient to realistically quantify the risk and to obtain a correct ranking of the risk contributions; treatment of some recoveries turns out to be also necessary.
8 Earthquake is treated in a specific probabilistic study.
225 NEA/CSNI/R(2014)9
At short term, IRSN intends to develop a generic study, for a given design, which can be used as a general methodology for the assessment of the long term accident sequences mainly generated by an external event or a combination of external events. This generic study may be then particularized for almost all external hazards and combination of external hazards for which a PSA development will be judged necessary on the basis of the screening analysis results (site specific). For example, the following figure schematizes an example of the possible combinations of events which can be generated by an external hazard. This example is only illustrative and do not represent a real plant.
Figure 1. “Long term” generic study
Autonomy of fuel reserves
Fuel supply / offsite power recovery
1 - Success Diesel Generators
2 – Core damage (fuel reserves insufficient)
Time to core damage
Heat sink
(initiator impact)
Offsite power recovery 3 - Success
Loss of offsite power
(by initiator) 4 - Core damage
Autonomy of water and fuel reserves
Heat sink / offsite power recovery or fuel supply
5 - Success Diesel Generators
6 – Core damage (fuel or water reserves insufficient)
Time to core damage
Heat sink unavailable
226 NEA/CSNI/R(2014)9
(initiator impact)
Heat sink / offsite power recovery
7 – Success
8 - Core damage
In this example it is assumed that the external hazard will directly lead to the loss of offsite power. In addition, the external hazard may also induce, with a given conditional probability, the loss of heat sink. In fact, most of the climatic hazards may lead, beside other consequences on the installation (projectiles, icing…), to the loss of offsite power and heat sink.
Due to the loss of offsite power, it is considered that the internal power sources (here diesel generators) should be available at long term, depending on the duration of the loss of offsite power and on the fuel reserves (including the assessment of the fuel external supplying possibilities).
In case of the loss of the heat sink the, lowest duration between the duration of the loss of offsite power (upper bound) and the duration of fuel tank capacity (including the assessment of the fuel external supplying possibilities) will be used to quantify the reliability of the internal power sources. The quantification of the reliability of the internal power should be preferably performed by using a method which allows realistically assessing the probability of failure of internal power sources over a long period of time, including the possible repair (for example Markovian or semi-Markovian models). One difficulty here is to correctly assess the success criteria of the internal power sources, especially if they are shared between the reactor and spent fuel pool or shared with other NPPs on the site (if the event affects more than one installation). Another important aspect is related to the assessment of the reliability data for long mission times of the internal power sources, since the available data are in general applicable only for short mission times since the operating experience is mainly based on the performed periodical tests, when the diesels functioning duration is generally short.
In case of failure of the internal power sources, the only possibility to avoid the undesired consequences (on the reactor or the spent fuel pool) is to recover the offsite power before this situation. In general the available time is short. Its probability can be assessed by taking into account the mean time to repair of the offsite power and the sequence duration limitations (for example if the duration is short because of limited fuel tank capacity the probability to not recover the offsite power is higher).
It has to be noted that in this example it is assumed that, by design, no other “non-electrical” means are provided, like steam driven pumps or passive means. If the design is different, the methodology “pattern” may be different.
In case of the loss of the heat sink, besides the internal power supply, the secondary water inventory (for reactor decay heat removal or for spent fuel pool make-up) should also be assessed. The duration which is considered to quantify the accident sequences is, in this case, the lowest duration (as upper bound) between the water and fuel inventories. The reliability of the internal power sources should also take into account in this case the impact of the loss of the heat sink on the availability and capacity of the ventilation and conditioning systems. The study should also take into account, if the water inventory is shared between several installations on the site, the operator strategy for using these resources.
227 NEA/CSNI/R(2014)9
This first attempt to develop the generic study allowed identifying some aspects which may be hazard (or combinations of hazards) dependent and which should be deeply assessed, as for example:
the number of affected installations (only the reactor, reactor and spent fuel pool, whole site units,…),
the expected duration of the loss of offsite power,
the conditional probability of loss of the heat sink,
the probability of failure of external fuel supply,
the times to repair and recovery probabilities of the situation (offsite power / heat sink),
other impacts on the installation in addition to the loss of off-site power and heat sink (for example, the probability of failure of internal power sources by projectile impact)…
The assessment of initial boundaries conditions is another important issue:
plant(s) operating state (power, shutdown, whole fuel inside the spent fuel pool, etc.),
unavailability or specific configurations for maintenance,
outside temperature (summer, winter): the temperature can affect the speed of exhaustion of water and fuel inventories as well as the time before losing the electrical / control systems due to the failure of ventilation or conditioning systems,…
The intention is to use such kind of generic study in connection with the existing internal events level 1 PSA, in order to facilitate the quantification of a large number of scenarios corresponding to several hazards and combination of hazards occurring in different initial boundary conditions.
As the performance of sensitivities studies on the most important or uncertain assumptions is also foreseen, the proposed generic study should be simple and flexible to allow easy modifications of the input parameters and data. For example, the repair times of the different functions and equipment (heat sink, offsite power, diesels…) are, in the same time, important but also uncertain input data. The example presented here was especially defined with the aim to easily perform parametric studies on these key data.
The methodological developments have been started and the first results are expected to be available in the near future.
5. CONCLUSION
In the context of the extension of level 1 PSA scope to address external hazards, both EDF and IRSN work, in addition to the review of deterministic bases and studies on external events, on probabilistic aspects related to external events PSA (hazards screening analysis, SSC fragility assessment, HRA, etc.) for and on the improvement of methods to better take into account in the PSA, the long term of accident sequences induced by initiators which may affect the whole site containing several nuclear installations (reactors, fuel pools,…).
At short term IRSN intends to enhance the modeling of the “long term” accident sequences induced by the loss of the heat sink or/and the loss of external power supply. The experience gained by IRSN and EDF
228 NEA/CSNI/R(2014)9
from the development of several probabilistic studies treating long term accident sequences shows that the simple extension of the mission time of the mitigation systems from 24 hours to longer times is not sufficient to realistically quantify the risk and to obtain a correct ranking of the risk contributions and that treatment of recoveries is also necessary. IRSN intends to develop a generic study which can be used as a general methodology for the assessment of the long term accident sequences, mainly generated by external hazards and their combinations. This first attempt to develop this generic study allowed identifying some aspects, which may be hazard (or combinations of hazards) or related to initial boundary conditions, which should be taken into account for further developments.
References
[1] ASN, Basic Safety Rule: Development and utilisation of probabilistic safety assessments, 2002
[2] ASN, Lettre “Options de sûreté du projet de réacteur EPR”, 2004
[3] EDF, Rapport Préliminaire de Sûreté de Flamanville 3 – version publique, 2006
[4] J. Sandberg (STUK), G. Thuma (GRS), G. Georgescu (IRSN), EUROSAFE 2009 - Probabilistic safety analysis of non-seismic external hazards
[5] F. Corenwinder, ANS PSA 2011, Treatment of the Loss of Ultimate Heat Sink initiating events in the IRSN PSA, 2011
[6] G. Georgescu and al, PSAM 2013, PSA modeling of long-term accident sequences
229 NEA/CSNI/R(2014)9
230 NEA/CSNI/R(2014)9
SESSION 4
MODELING OF NPP RESPONSE TO NATURAL EXTERNAL EVENTS IN PSA
Chair: Gabriel Georgescu A. Bareith, Z. Karsa, T. Siklossy, Z. Vida EXTERNAL EVENTS PSA FOR THE PAKS NPP
T. Kozlik TREATMENT OF EXTERNAL EVENTS IN THE LINKED EVENT TREE METHODOLOGY – NPP GEOSGEN-DAENIKEN EXAMPLE
T. Puukka THE PROBABILISTIC RISK ANALYSIS OF EXTERNAL HAZARDS OF AN INTERIM STORAGE FOR SPENT NUCLEAR FUEL IN OLKILUOTO
J. Holy,S. Hustak, M. Hladky, O.Mlady, L. Kolar,M. Jaros EXTERNAL EVENTS ANALYSIS IN PSA STUDIES FOR CZECH NPPs
231 NEA/CSNI/R(2014)9
232 NEA/CSNI/R(2014)9
External Events PSA for the Paks NPP
Attila Bareitha, Zoltan Karsab, Tamas Siklossyc*, Zoltan Vidad a,b,cNUBIKI Nuclear Safety Research Institute, Budapest, Hungary dPaks Nuclear Power Plant Ltd., Paks, Hungary
Abstract: Initially, probabilistic safety assessment of external events was limited to the analysis of earthquakes for the Paks Nuclear Power Plant in Hungary. The level 1 seismic PSA was completed in 2002 showing a significant contribution of seismic failures to core damage risk. Although other external events of natural origin had previously been screened out from detailed plant PSA mostly on the basis of event frequencies, a review of recent experience on extreme weather phenomena made during the periodic safety review of the plant led to the initiation of PSA for external events other than earthquakes in 2009. In the meantime, the accident of the Fukushima Dai-ichi Nuclear Power Plant confirmed further the importance of such an analysis. The external event PSA for the Paks plant followed the commonly known steps: selection and screening of external hazards, hazard assessment for screened-in external events, analysis of plant response and fragility, PSA model development, and risk quantification and interpretation of results. As a result of event selection and screening the following weather related external hazards were subject to detailed analysis: extreme wind, extreme rainfall (precipitation), extreme snow, extremely high and extremely low temperatures, lightning, frost and ice formation. The analysis proved to be a significant challenge due to scarcity of data, lack of knowledge, as well as limitations of existing PSA methodologies. This paper presents an overview of the external events PSA performed for the Paks NPP. Important methodological aspects are summarised. Key analysis findings and unresolved issues that need further elaboration are highlighted.
Keywords: PSA, External Events, Extreme Weather Conditions, Wind, Snow, Hazard Assessment, Fragility Analysis
1. BACKGROUND
The Hungarian Nuclear Safety Codes [1] list the most important internal and external hazards which shall be taken into consideration during the justification of the design and safety. In particular, the Codes highlight that severe weather conditions and seismic events shall be addressed in the PSA. Initially, probabilistic safety assessment of external events was limited to the analysis of earthquakes for the Paks Nuclear Power Plant in Hungary. The level 1 seismic PSA was completed in 2002 showing a significant contribution of seismic failures to core damage risk. Although other external events of natural origin had previously been screened out from detailed plant PSA mostly on the basis of event frequencies, a review of recent experience on extreme weather phenomena made during the periodic safety review of the plant led to the initiation of PSA for external events other than earthquakes in 2009. Hungarian nuclear safety regulations prescribe that the design basis for loads from natural external hazards shall be set at 10-4 /a hazard frequency. According to the regulations, the risk from natural external hazards beyond the design basis shall be assessed at least in the range of 10-7÷10-4 /a hazard frequency. Therefore probabilistic safety assessment of external hazards has to be performed unless it can be shown that the design basis of the plant ensures that the plant can withstand the loads induced by a hazard with 10-7 /a frequency. In addition to these requirements, the accident of the Fukushima Dai-ichi Nuclear Power Plant and the Targeted Safety Reassessment of the nuclear power plants located in the European Union confirmed further the importance of risk analysis for external hazards.
2. OBJECTIVES
In compliance with the abovementioned regulatory requirements, external events PSA for the Paks NPP has been performed. Among others, the objectives of the assessment were to quantify to the extent possible the level of risk induced by natural external hazards and to identify the main risk contributors. It was foreseeable from the beginning of the assessment that all the risk contributors from the various hazards could not be determined and quantified adequately on the basis of the available background analyses. Therefore a main further objective was to identify analysis areas that would need to be further dealt with in order to develop a full scope external event PSA, as well as to reduce uncertainties and conservatism where necessary.
233 NEA/CSNI/R(2014)9
Consolidated proposals on safety enhancement can only be made after resolving these analysis issues, although an objective was to identify apparently important safety concerns this assessment phase.
As to the scope of the analysis, potential hazard induced accidents in full power as well as low power and shutdown states had to be dealt with. Concerning low power and shutdown states, the plant operational states of a typical refuelling outage were looked at.
3. MAJOR ANALYSIS STEPS
The analysis proved to be a significant challenge due to scarcity of data, lack of knowledge, as well as limitations of existing PSA methodologies. Hereby important methodological aspects are summarized by giving an overview of every major analysis step.
The external event PSA for the Paks plant followed the commonly known steps: selection and screening of external hazards, hazard assessment for screened-in external events, analysis of plant response and fragility, PSA model development, and risk quantification and interpretation of results.
3.1. Selection and Screening of External Hazards
During the first step of identifying external hazards that required detailed analysis, we made an attempt to develop a comprehensive list of potential site specific external hazards. At first we performed a review of regulatory requirements nationally and internationally. Relevant requirements of the Hungarian Nuclear Safety Codes [1] and WENRA reference levels [2] enabled to determine the vast majority of potential external hazards. In addition, use was made of the following documents to identify the initial list of potential external hazards: • the stand-alone volume of the joint ANS-ASME PRA standard that sets forth probabilistic safety assessment methodology for external hazards [3], [4], • a guidance document of the Swedish nuclear safety authority that builds upon the Finnish and Swedish external hazard assessment experience [5], • the Specific Safety Guide of the International Atomic Energy Agency on level 1 PSA [6].
We applied a successive approach with combined deterministic and partially probabilistic screening of all the potential external hazards to identify the risk significant ones that needed detailed analysis to quantify the plant risk. During this screening it was found that available hazard analyses did not enable to decide if tornados and blockage of the water intake filters could be screened out or not. Additional hazard assessment has been proposed to clarify these questions.
After screening the following natural external hazards were subject to detailed analysis: • extreme wind, • extreme rainfall, • extreme snow, • extremely high and low air temperature, • lightning, • extreme frost and ice formation.
3.2. Hazard Assessment
The objective of hazard assessment was to determine event frequencies for different magnitudes of the parameter which represents best the load induced by an external hazard. Hazard assessment was based on the data collected by the Hungarian Meteorological Service at station Paks during the past few decades. The following observations were taken into consideration: • maximum gust of wind [m/s], • instantaneous and daily average maximum and minimum air temperature [°C], • maximum 10, 20, 60 minute and daily precipitation intensity [mm/min], • maximum thickness of snow [cm], • maximum load of frost and icing [g/mm].
234 NEA/CSNI/R(2014)9
The main difficulty in determining the occurrence frequency of extreme weather conditions is the lack of observations for those events whose probability should be estimated, since data samples from experience are available for short durations only. The results include significant uncertainties irrespectively of the computational method applied. In accordance with the international practice of climatological applications, we made use of extreme value theory to characterize and quantify each external hazard. Hazard curves were established by fitting Gumbel distribution on the annual extreme values of the most up to date site specific meteorological data. Hypothesis testing was conducted to justify that the Gumbel distribution was an appropriate approximation of the hazard curves. It is noted that lightning as an external hazard required a different analysis approach because several physical properties of lightning had to be assessed in order to be able to characterise the vulnerability of plant structures and equipment.
Extreme weather conditions were estimated at different confidence levels (5, 15, 30, 50, 70, 85 and 95%) for 1 to 10-7 1/a frequency of exceedance. The results of hazard analyses are not discussed hereby for every single hazard, but Figure 1 demonstrates the hazard curves for extreme snow as an example. The results of the analysis show – among others – the plant design basis value for the occurrence frequency of 10-4 /a at 50% confidence level (107 cm) and the lower limit of the safety assessment which has the occurrence frequency of 10-7 /a (e.g. 175 cm at 50% confidence level). The hazard curves also demonstrate the uncertainty limits of the Gumbel approximation, e.g. the expected thickness of snow for occurrence frequency of 10-5 /a is 104 cm at 5% confidence level, while it is 166 cm at 95% confidence level.
1 0,1 5% confidence level 15% confidence level 0,01 30% confidence level 0,001 50% confidence level 0,0001 70% confidence level 0,00001 85% confidence level 0,000001 95% confidence level 0,0000001 Frequency of exceedance [1/a] exceedance of Frequency 0 50 100 150 200 250 Return Level [cm]
Figure 1 Hazard curves for extreme snow
3.3. Plant Response and Fragility Analysis
In the analysis of plant response to external hazards we characterized the loads induced by each external hazard on safety related systems, structures and components (SSCs) in such a form that was appropriate for use in probabilistic safety assessment. We determined the probability of loss of essential safety functions and spurious actuations for different levels of load by means of fragility curves. The methods applied to describe fragility varied among characteristic groups of external hazards.
The effects of loads from wind and snow on structures and outdoor facilities were analysed in detail for the purposes of plant response analysis. Vulnerability of power transmission lines to extreme frost and ice formation (hereafter: frost) was also taken into consideration during plant response analysis. Wind, snow and frost related fragility curves, as an outcome of the corresponding fragility analysis, were established by using a closed mathematical expression for different confidence levels. Design data were reviewed, safety margins ensured by the standards applied during structural design were assessed, and use was made of a recent large scale structural re-analysis for the plant to determine fragility. Figure 2 demonstrates the wind related fragility curves for the reactor hall as an example.
235 NEA/CSNI/R(2014)9
1 5% confidence level
0,8 15% confidence level
30% confidence level 0,6 50% confidence level
0,4 70% confidence level
85% confidence level 0,2 95% confidence level Conditional failure probability [-] probability failure Conditional 0 Mean value 40 50 60 70 80 90 100 Gust of wind [m/s]
Figure 2 Wind related fragility curves for the reactor hall
Primarily hydraulic load assessment for the canalization system helped to evaluate how external flooding caused by extreme precipitation would impact the operability of safety related SSCs. The plant response evaluation of lightning strikes required a different methodology than the analysis of other meteorological events, because lightning could cause various failure modes depending on lightning properties that cannot be characterised by a single parameter. Accordingly, lightning related fragility was described by examining the fulfilment of the design requirements prescribed in the applicable lightning protection standards and thus by evaluating the effectiveness of the lightning protection system at the plant. Primary and secondary hazardous effects of a lightning strike were taken into consideration in this evaluation. To determine the plant response to extreme temperatures, we compared the temperature resistance of each safety related component given by the manufacturer to the expected environmental temperature at the location of the component in different plant operational states (full power, low power and shutdown states) with considerations to the applicable operational strategies in such extreme conditions and to the capacity of the connected HVAC (heating, ventilation, air conditioning) systems.
The plant response analysis proved to be the most challenging task in the PSA for external events mainly due to the lack of supporting analyses as well as data on component capacity that could be usefully and sufficiently applied in fragility assessment for PSA. Therefore, high priority was given to assemble an expert panel that could support the PSA with knowledge and experience about plant design, operation and safety analyses in relation to external hazards. Staff members of the plant had the most important role in that expert panel.
3.4. PSA Model Development
Based on the findings of hazard assessment and plant response analysis, core damage risk induced by extreme precipitation and lightning was found to be insignificant. However, some follow-on analyses were proposed and safety enhancement measures were conceptualised to fully underpin this conclusion. Due to lack of appropriate data and supporting analysis on the capacity of plant systems and components no PSA model has been developed yet for extreme temperatures. At present efforts are being made to enable risk quantification in relation to extreme temperatures. Consequently, PSA models have been developed for extreme wind, snow and frost hazards at this stage of the analysis. RiskSpectrum PSA Professional was applied for modelling purposes, utilizing to the extent possible the PSA models for internal events and seismic hazards developed earlier for full power as well as low power and shutdown states. Models developed for wind, snow and frost hazards are discussed in brief hereafter.
236 NEA/CSNI/R(2014)9
The initiating event of each PSA model is the relevant external hazard (wind, snow or frost) characterized by hazard curves (as demonstrated in Section 3.2). The loads from wind, snow or frost initiating event might cause damage to structures or outdoor facilities identified during plant response analysis. Hazard induced damage and failure forms were put into fragility groups. All the structures and equipment that were found virtually identical from the point of view of vulnerability to a specific hazard were grouped together, assuming fully correlated failures of all the components in a group, and a single set of fragility curves was assigned to each group. We determined eight wind related and nine snow related fragility groups, as well as one frost related group. Hazard induced transient initiating failures and additional system, train or component level failures and degradations were identified by a thorough examination of failure effects within each fragility group. The impact of block wall collapse on electrical cables was also taken into consideration during the identification of hazard induced failures. During this examination failures that could be caused by the simultaneous occurrences of different group failures were also identified. Based on the failures identified a list of transient initiating failures that could potentially occur due to a hazard was established. It was found that the plant responses to and the mitigation process for the identified single transient initiating failures were virtually the same for random (internal) initiating events and for transients induced by external hazards. The scope of safety functions that should be fulfilled following the occurrence of multiple transient initiating failures is assumed to be a union of the safety functions modeled for single transient initiating failures, taking into account the external hazard induced failures of the mitigation systems.
A so-called generic event tree was built up for each hazard in every plant operational state to identify hazard- induced core damage sequences. This event tree models both single and multiple hazard-induced transients together with the associated consequences on plant and human responses. On one hand each potential hazard induced transient is represented by a single dedicated event tree header in the generic event tree and on the other hand the last header in the tree combines all the core damage event sequences from all the single transient initiating failures that may occur. A simple reading of the event tree is that upper branches represent (as usual) the success of the given event tree header (the associated transient initiating failure does not occur), while lower branches represent failure of the given event tree header (occurrence of the given transient initiating failure). By setting the appropriate boundary condition sets on each event sequence, the last header represents all the mitigation functions and systems for the transients modelled in the corresponding event sequence.
A lot of failure modes considered in the PSA for internal events can be induced by an external hazard, too. As a first modelling step the failure modes that were found sensitive to the effects of external hazards were listed. Thus a failure mode included in this list can occur as a consequence of an external hazard or due to random, non-hazard related effects. For these failure modes the basic events of the PSA model for internal events were transferred into an OR gate that defined the connection logic between the two types of failure causes (i.e. hazard and non-hazard related ones).
Pre-initiator (type A) human actions considered in the PSA for internal events are included in the external event PSA without any modification because these actions are independent of the nature of the initiator. Initiator (type B) human actions that contribute to the development of a plant transient are generally not considered in the external event PSA where the external hazard is the only (common cause) initiator, although the occurrence of plant transients initiated by snow load can be prevented if snow is removed from some designated areas in a timely manner. To model this effect failure to remove snow from the roofs of some technological buildings and other facilities in time was taken into account as a contributor to the development of snow related transients. Most post-initiator (type C) actions considered in the PSA for internal events are identically included in the external event PSA. However, in the external event PSA no credit is given to a type C action, if major structural or equipment failures incapacitate the personnel to successfully interact either in the control room or by means of local actions.
During data assessment for PSA quantification the hazard potential was characterised by a family of continuous hazard curves, while hazard-induced equipment and structural failures were described by continuous fragility curves within the hazard levels of interest. This approach was preferred to defining discrete hazard ranges. The reliability data for random equipment failures were taken from the PSA for internal events.
237 NEA/CSNI/R(2014)9
3.5. Risk Quantification and Interpretation of Results
As stated above, for risk quantification purposes we used a family of continuous hazard and fragility curves, rather than using discrete values for different hazard magnitude ranges. The occurrence frequency of a minimal cutset induced by a specific external hazard (f(MCS)) was determined partly by convoluting the input hazard curves with the relevant family of fragility curves, as well as by taking into account the probability of random equipment failures using the following formula of approximation:
��� ������ = ��������� ∙ … ∙ ���������� ∙ � ���������� ∙ … ∙ ��������� ∙ ℎ�� ��� where: NEBEj denotes basic events for random failures in the minimal cutset, i.e. failures that occur independently of the external hazard (j = 1, 2, … NE); FP(NEBEj) is the probability of a random failure in the minimal cutset; EBEk is a basic event in the minimal cutset representing a failure due to an external event (k = 1, 2, … E); FFi(EBEk) is the mean conditional fragility probability for external hazard range “i” of a basic event in the minimal cutset representing a failure due to an external event; hi is the mean occurrence frequency of the external hazard range “i”.
The conditional probability of core damage (CCDP(MCS)) in relation to a minimal cutset can be assessed as:
������ ��������� = ��� ���� h� The frequency of core damage induced by an external hazard (CDF) is determined as follows:
���� ��� ��� = �1 − � �1 − ������������ ∙ � h� ��� ��� The dominant core damage minimal cutsets of failures induced by external hazards were determined in the first place by using the RiskSpectrum PSA Professional software applied generally to model development and quantification in the Paks PSA. Since RiskSpectrum cannot be used to perform the numerical approximation of the convolution integral, following the generation of minimal cutsets, separate, stand-alone computer codes were applied to determine cutset frequencies, calculate the overall core damage frequency, and perform uncertainty and sensitivity analyses.
For risk characterisation, the point estimate of core damage frequency and the annual core damage probability were determined for the different external hazards in each plant operational state. By summing up the core damage probabilities for the various plant operational states, we calculated the cumulative plant risk (annual core damage probability) induced by the different external hazards. We used qualitative analysis to identify and explain the minimal cutsets that were found dominant contributors to the cumulative plant risk.
Importance and sensitivity analyses were used to calculate the following measures for each fragility group in relation to the cumulative plant risk: • Fussel-Vesely importance (fractional contribution - FC); • Risk reduction worth (risk decrease factor - RDF);
• Sensitivity measures (SU, SL, SU/L).
Sensitivity measures for each fragility group were determined by assuming a higher and a lower value of HCLPF1 for the group. These higher and lower values were selected so that they represented one order of magnitude change in the hazard occurrence frequency. Moreover, we assessed the expected decrease in the
1 High Confidence on Low Probability of Failure
238 NEA/CSNI/R(2014)9 cumulative annual core damage probability if the HCLPF of those fragility groups that have lower resistance than the design basis of the plant was increased up to the design basis value. The results of these analyses enabled the characterisation of expected risk reduction if certain safety improvements were made.
The complete set of the hazard curves for an external event and the full range of fragility distributions for each structure and component representing different confidence levels were combined through a convolution integral to develop true uncertainty distributions for external hazard induced failure frequencies. Also, uncertainties in hazard induced failures were combined with uncertainties in human error rates and non- hazard related equipment failures using Monte Carlo simulation. As a result the probability density function and the cumulative probability distribution function of the core damage frequency were obtained. Quantification was done by using a spreadsheet application developed earlier in support of the seismic PSA.
4. FINDINGS
The development of external events PSA for the Paks NPP was completed by the end of 2012. Hereby we summarize the quantified core damage risk induced by natural external hazards and the identified main risk contributors. In addition, we highlight some of the most important analysis areas that need to be further dealt with in order to develop a full scope external event PSA, as well as to reduce uncertainties and conservatism where necessary.
4.1. Core Damage Risk
A detailed logic model was developed for extreme wind, snow and frost hazards and therefore core damage risk was only quantified for these hazards due to the following reasons: • Risk induced by extreme rainfall and lightning was found insignificant on the basis of design characteristics and corrective actions that the plant management has already made commitment to in order to enhance safety. • The assessment for extremely high air temperature was limited to an initial and rough estimation of the conditional core damage probability if loss of off-site power was assumed in hot weather conditions. Among others, this limitation is attributable mostly to the uncertainties in operational strategy under harsh weather conditions and to the uncertainty in assessing the impact of high temperature on the off-site power system. • Currently no solid assessment of core damage risk due to extremely low air temperature could be made. This is in the first place due to the uncertainties in operational strategy under harsh weather conditions and uncertainties in hazard assessment. Moreover there is a need for performing further analyses to enable an appropriate quantification of the temperature related fragility of some systems and components.
Based on the results of PSA model quantification, the point estimate approximation of the annual core damage probability induced by external hazards is: • 1,24·10-5 from extreme wind; • 5,20·10-6 from extreme snow; • 2,78·10-6 from extreme frost. These figures include the contributions of all the plant operational states analysed. The results show that the risk from extreme weather phenomena is important in comparison to the risk originated from other types of initiating events analysed in the PSA for the Paks plant.
Some results of the uncertainty analysis are indicated in Table 1 below. The figures witness large uncertainties in the risk estimates.
5 % Median 95 % extreme wind: 1,23·10-7 4,75·10-6 1,84·10-4 extreme snow: 4,68·10-8 1,17·10-6 2,91·10-5 extreme frost: 1,43·10-7 2,61·10-6 4,77·10-5
Table 1 Uncertainties in annual core damage probability estimates for different external hazards
239 NEA/CSNI/R(2014)9
The main contributors to core damage risk from extreme wind were found to be the structural failure of the longitudinal electrical gallery (part of the main building complex), failure in the power lines of the off-site power system and the human failure event to establish plant operation in island-mode. Regarding extreme snow the main risk contributors are failure to remove snow from the roofs of safety related buildings, structural failure of the turbine building and structural failure of the on-site substation control building located at the switchyard. The ultimate contributor to frost induced risk is the failure of power lines in the off-site power system and in the switchyard.
4.2. Unresolved issues
We proposed numerous follow-on efforts and corrective actions based on lessons learned from the different PSA analysis steps, as well as on the results of risk quantification and the associated sensitivity studies. These proposals can be grouped into the following major categories: • Those that can reassure the adequacy of the technical basis to screen out hazards considered negligible from risk point of view (e.g. tornado, blockage of water intake system, extreme rainfall, lightning); • Those that can enable risk assessment for hazards not characterized quantitatively yet (e.g. extreme air temperatures, hazards currently considered insignificant); • Those that can, by means of reducing uncertainties, establishing a better technical basis of the applied analytical assumptions, or decreasing unnecessarily high conservatism, enable a more accurate assessment of risk from hazards already quantified (extreme wind, snow, or frost).
Some of the proposals belong to more than one of the above-mentioned categories. Based on the results of the current study, competent members of the plant management have defined their position as follows: 1. Safety enhancement measures already in preparation and follow-on analyses in order to ensure a refined and more complete risk assessment have to be performed first. 2. If the refined assessment shows an unacceptable level of core damage risk, then, among other risk reduction measures, it might be necessary to set-up a detailed operational and transient mitigation strategy to follow in case of extreme meteorological conditions, similarly to the seismic safety concept elaborated earlier at the plant. On the basis of the current analysis, it has already been pointed out that the detailed strategy referred to in item 2 above could significantly lower the risk from external hazards and the probability of human errors in severe weather conditions.
The most important area of follow-on analyses regarding extreme wind is the need to review the available structural analyses of the plant more thoroughly in order to better assess structural fragilities and subsequently reduce assumed conservatism in risk assessment to the extent possible. Moreover the reliability of establishing plant operation in island-mode in case of loss of off-site power could be enhanced since the failure of the power grid proved to be a significant risk contributor due to its less stringent design criteria.
With respect to extreme snow, the potential snow induced blockage of air intake systems to the diesel generators and to the demineralised water storage tanks needs to be further studied. Also, modification of the relevant plant procedure on removal of snow deposits from building roofs has been proposed together with identification and allocation of human and equipment resources to enhance the effectiveness of actions aiming at the prevention of transient initiating failures and thus to lower core damage risk. Furthermore a more detailed review of the available structural analyses of the plant has also been proposed in order to better assess structural fragilities and subsequently reduce assumed conservatism in risk assessment to the extent possible. Regarding extreme frost, complementary assessments are needed to decrease conservatism by assessing the safety margin of relevant components and power lines at the switchyard beyond the design basis.
To fully justify that plant risk imposed by extreme rainfall and lightning is insignificant some unresolved issues need to be clarified. A reassessment of the response of the canalisation system to hydraulic loads is needed with modified boundary conditions in comparison to the existing analyses. It may become necessary to establish controlled flooding of the diesel generator building as a result of this reassessment. Although controlled flooding cannot prevent the rooms inside the building from flooding, it can ensure the
240 NEA/CSNI/R(2014)9 functionality of all safety related components if a few components are installed at higher elevation. In addition, it is seen necessary to examine whether extreme rainfall could lead to the damage of safety related components due to flooding through underground structures (e.g. cable tunnels).
Concerning the risk from lightning, protection of safety related components against lightning is currently subject to a review at the plant with focus on the secondary effects of lightning in particular. Protection of components will be improved where necessary.
The risk assessment for extremely high and low air temperatures proved to be the most challenging task. Therefore it requires the most significant follow-on efforts. Detailed analysis is needed to evaluate the effectiveness and reliability of the plant HVAC systems during harsh weather conditions. Temperature limits for the safe operation of all components with considerations to the actuation of temperature related protection need to be determined in order to assess the sequence of equipment trips during harsh temperature conditions. Temperature resistance of electrical, control and instrumentation components located outside of the plant buildings should be assessed in detail to determine the safety margin beyond design basis and to underpin fragility analysis. The vulnerability of mechanical components to extreme temperatures needs to be reviewed. Fragility assessment regarding extreme temperatures needs to be conducted for the off-site power system to quantify core damage risk in an appropriate manner. It should be analysed whether safe stable plant conditions can be ensured by using power supply from the emergency diesel generators in lack of off- site power during extremely high and low air temperature conditions.
5. CONCLUSION
Development of external events PSA for the Paks NPP was completed by the end of 2012. The analysis followed the commonly known steps: selection and screening of external hazards, hazard assessment for screened-in external events, analysis of plant response and fragility, PSA model development, and risk quantification and interpretation of results. The risk of core damage induced by natural external hazards was quantified to the extent seen feasible. In addition to risk quantification, unresolved issues and necessary follow-on analyses were identified and proposed. At present an action plan is being developed for these analyses.
Core damage risk has been assessed quantitatively for wind, snow and frost hazards. Detailed importance, sensitivity and uncertainty analyses were conducted. Moreover the main risk contributors induced by these external events were also identified. Additional follow-on analyses were proposed to enable an improved risk quantification by means of reducing uncertainties, establishing a better technical basis for the applied analytical assumptions, or decreasing unnecessarily high conservatism.
Based on the findings of hazard assessment and plant response analysis, the core damage risk induced by extreme rainfall and lightning was found to be insignificant. However, some follow-on analyses were proposed and safety enhancement measures were conceptualised to fully underpin this conclusion. Due to lack of appropriate data and supporting analysis on the capacity of plant systems and components no PSA model has been developed yet for extreme temperatures. Follow-on analyses necessary for quantifying the risk of core damage induced by extreme temperatures have been identified.
References
[1] Hungarian Nuclear Safety Code; Volume 3, Design Requirements for Nuclear Power Plants. Hungarian Atomic Energy Authority, Budapest, Hungary, 2011.
[2] WENRA Reactor Safety Reference Levels (www.wenra.org), January 2008.
[3] American National Standard for Level 1 / Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, ANSI/ASME/ANS RA-S-2008 (revision of ANSI/ASME/ANS RA-S-2002), ASME, New York, USA, 2008.
[4] American National Standard for External Event PRA Methodology ANSI/ANS-58.21-2007 (revision of ANS-58.21-2003), ANS La Grange Park, USA, 2007.
241 NEA/CSNI/R(2014)9
[5] M.Knochenhauer and P.Louko: Guidance for External Events Analysis, SKI Research Report 02:27, Swedish Nuclear Inspectorate, Stockholm, Sweden, 2003.
[6] Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, Specific Safety Guide No. SSG-3, IAEA, Vienna, Austria, 2010.
242 NEA/CSNI/R(2014)9
TREATMENT OF EXTERNAL EVENTS IN THE LINKED EVENT TREE METHODOLOGY NPP GOESGEN – DAENIKEN EXAMPLE
Thomas Kozlik [email protected]
Nuclear Power Plant Goesgen-Daeniken AG
Abstract
The NPP Goesgen-Daeniken uses a combined level 1 / level 2 PSA model for its event analyses. The model uses a linked event tree approach, using the software RISKMAN®. Each initiating event passes through a modularized event tree structure, consisting of external events pretrees, alignment and support systems trees and frontline and containment response trees. This paper explains the structure of the linked event trees. Switches are used to bypass certain trees for specific initiating events. The screening process applied to possible external events is explained. The final scope of considered natural external events in the Goesgen PSA consists of earthquakes, seasonal events causing cooling water intake plugging or external floods. The structure of the natural external events pretrees is explained. The treatment of external floods is explained in more detail. Floods at the Goesgen site are caused by extreme river flows into the old branch of the Aare river. A new model has been developed to analyse the probabilistic flood hazard using a bivariate distribution (water level and flood duration). Analysing the statistical data, the time trend had to be considered. The Goesgen PSA models 7 external flood initiating events, considering different water levels and durations at the flooded plant site. The building fragilities were developed in terms of resistance times. The RISKMAN® external flood pretree consists of top events for operator actions and failure of the building functions, which leads to the functional failure of equipment located at the lower elevation of the building.
NPP GOESGEN-DAENIKEN The nuclear power plant Goesgen-Daeniken is a single plant unit, operating since 1. November 1979 with a power of 3002 MW thermic and a output of 1035 MW electric. The NPP Goesgen-Daeniken ist a three loop pressurized water reactor of the German supplier KWU (now AREVA). It is located in the canton of Solothurn on the south bank of the river Aare between Olten and Aarau.
Figure 1: Situation of NPP Goesgen-Daeniken
The NPP Goesgen-Daeniken is at the southern shore of the meandering river course. The major part of the water flows, diverted by a dam some kilometer upstream, through a water channel to the hydro electric power plant Goesgen. The NPP Goesgen-Daeniken hat two cooling water intake buildings (buildings M0 and M5). The cooling water intakes have the function of supplying the nuclear
243 NEA/CSNI/R(2014)9
conventional auxiliary cooling water systems as well as provide additional water treatment of the cooling tower and the water purification system. The building M0 is located in the upper channel (upstream of the hydro-electric power plant) and delivers the needed water under normal operating conditions. Upon unavailability of the upper channel, the second water intake building M5 is located downstream of the hydro-electric power plant and is activated automatically.
NPP GOESGEN-DAENIKEN PSA MODEL NPP Goesgen – Daeniken uses for its PSA studies the RISKMAN© for Windows software package, which runs on personal computers and consists of 4 major applications:
• The Data analysis module is used to create database distributions and to update those using Bayesian techniques. • In the Systems module systems can be modeled using fault tree methods to quantify components interactions. Basic and top events as well as initiators can be defined, using the distributions from the data module to quantify the failure rates. Definition of common cause failure groups and creation of minimal cutsets are also implemented in the systems module. • The Fragility module is used for the analysis of seismic or wind events. • The Event Tree Analysis models scenarios beginning with an initiating event and follows sequence paths through a series of linked event trees to damage states. The event trees contain top events that may represent systems analyzed using the Systems module.
The Gösgen Level 1 PSA model is an integrated model that contains a fully developed interface with the Level 2 PSA containment event trees. The Level 1 model includes all systems and operator actions that are important for preventing core damage. The Level 1 model also includes systems that are important for maintaining the containment functions after core damage occurs. Thus, the Level 1 event sequences define the status of essentially all the systems and many important operator actions that affect the Level 2 assessment of accident progression and containment phenomenological response. The only major exception to this rule is that the Level 1 models do not include the hardware or operator actions to open the containment filtered vent path. Each endpoint from the combined Level 1 event trees defines an event sequence that is described by an initiating event, followed by the success or failure of plant systems, operator actions, and containment systems that are designed to mitigate the accident. Each core damage event sequence has a unique "signature" that is defined by these combinations of successes and failures.
LINKED EVENT TREE APPROACH
The complete event sequence model is developed through a series of modularized and linked event trees. A total of 30 event tree modules were developed for the study. They include:
• One event tree that evaluates flooding events
• One event tree that evaluates seismic failures of components and structures.
• Two event trees that evaluate fire related failures of components and structures.
• One event tree that evaluates aircraft crash related failures of components and structures.
244 NEA/CSNI/R(2014)9
• Six event trees that evaluate the Goesgen support systems.
• Twelve event trees that evaluate frontline system responses for the different functional initiating event categories.
• Two event trees that evaluate accident management actions to prevent core damage or to mitigate the consequences of an accident.
• Five event trees that assign core damage event sequences to the appropriate plant damage states and develop the interface with the Level 2 PSA models.
In addition, there are two event trees that model the containment response to core damage scenarios.
POSSIBLE EXTERNAL EVENTS This section describes the analyses that were performed to evaluate the potential risk significance from external events that may affect the plant. The approach used is simple and consists of: • Identification of external hazards.
• Screening of external hazards identified based on established criteria.
In the first step, an extensive review of information on the site, the surrounding region, and the plant design was performed to identify all external events potentially of risk importance to Gösgen. Information reviewed includes data on hydrology, geology, and meteorology for the site on seismological characteristics of the region as well as relating to industrial and military activities in the vicinity of the power plant. External events considered in other PSAs and in PRA procedure guides were also consulted. The next step in the analysis was the screening of the external hazards identified for the plant. Each hazard identified was evaluated in order to select the significant external events for detailed analyses. The screening criteria used for the external hazards identified are:
• The event is of significantly lesser damage potential than the events for which the plant has been designed.
• The event has a significantly lower frequency of occurrence than other events with similar consequences.
• This event cannot occur close enough to the plant to affect it.
• The event is included in the definition of another event.
External events that do not meet any of the above criteria were retained for further analysis. The full spectrum of hazard severity was considered in the screening process. The following points were considered for the screening:
• The Goesgen plant is located on the Aare River in northern area of Switzerland.
• The Goesgen plant is not located near any major chemical, industrial, or military facility that contains large amounts of hazardous materials.
• The closest light industrial facilities between the NPP Goesgen-Daeniken site and the railroad are located more than 600 meters from any plant building that contains PSA equipment
245 NEA/CSNI/R(2014)9
(e.g., emergency diesel generator Building K1). These facilities do not contain sufficient inventories of hazardous materials that could pose a significant threat to the KKG equipment or operators. These industries are also governed by their own regulators for safe operation.
• There is no commercial shipping on the Aare River.
• The Goesgen plant is located at a sufficient distance from major highways and rail lines to discount significant impacts from possible transportation accidents. This conclusion is also supported by other PSA analyses for plants that are located much closer to major transportation routes.
• The plant walkdowns did not identify any significant onsite quantities of unusual chemicals or hazardous materials.
As the location of the site of the NPP Goesgen-Daeniken precludes events such as volcanic activity, waves or tsunamis or sandstorm, other events (such as meteorites) have been screened out due to extremely small frequencies or events such as lightning, landslide, sinkholes or snow storms have been considered and included in plant design, further analysis has been done only on the events listed below:
• Seismic Activities
• Onsite Hazards (fires and floods, turbine missiles)
• Aircraft Crashes
• Extreme Winds and Tornados
• External Floods
• Service Water Intake Plugging
• Offsite Industrial Accidents (natural gas pipeline explosions)
After the events of Fukushima, the Swiss Federal Nuclear Safety Inspectorate ENSI requires a new comprehensive study on extreme weather conditions affecting Swiss nuclear power plants. This study is now in progress and results can be expected by the end of 2013. Furthermore a project to reevaluate the seismic hazards (PEGASOS refinement project) is in its final stage. The impact on the NPP Goesgen-Daeniken caused by seismic events or due to extreme weather conditions will be reevaluated as soon as these studies are finished. This paper will for this reason concentrate on one example, the treatment of external floods in the psa model.
TREATMENT OF EXTERNAL FLOODS
As described above, the NPP Goesgen-Daeniken is situated at the southern shore of a river bank, while the main water flow is diverted by a dam upstream into an artificial channel which leads to a hydo- electric power plant. The external flood hazard is characterized by one primary parameter, the river flow rate near the location of the nuclear power plant site and two dependent parameters: the level of submergence of the the site area at a specific water level as well as the duration of a potential area
246 NEA/CSNI/R(2014)9
flooding. This set of hazard parameters allows to model the main physical impacts caused by possible extreme river flow conditions: • Clogging of water intakes by accumulation of suspended material (linked to flow rate). • Leak rates into buildings or the availability of operator actions (linked to water level). • Availability of system functions (duration of external flood). The results of flood analysis can be affected by secondary flood effects like jamming of civil hydro- structures. This may cause backflow or additional side flow effects that have to be addressed in a plant specific probabilistic safety analysis for external floods based on physical simulations.
For the next step (characterizing the capacity of the plant to withstand external floods), it is required to identify the system functions and their equipment and the associated building functions required to assure safe shutdown state during the considered external flood. For equipment located inside buildings, the capacity the withstand area flooding conditions can be related to the capability of buildings to absorb possible leaks into the building without rendering the equipment unavailable. The flood capacity of building functions is therefore defined as the resistance time (how long can a building functin withstand the flood). For buildings that are not completely tight the resistance time depends on the leak and drain rates, the free building volume and the location of the component inside the building. Equipment inside leak tight buildings will not be affected by the flood directly but may fail due to failure of support systems (or due to independent failure).
To evaluate resistance times Wt, it is necessary to identify potential leak paths, evaluate leak rates QLeck, the building absorption volume Vabs and the available drain systems Qdrain. The resistance time is calculated as follows:
V Q W = V + Q W ; W = abs (1) Leck t abs drain t t (QLeck − Qdrain )
If the capacity of the drain system is bigger than a certain possible leakage, then the resistance time is set equal to the mission time of the PSA for the corresponding water level (components may still fail due to independent failure though).
To compute the conditional failure of building functions for different water levels, fragility functions need to be developed. Based on the available data normal distributions were identified as suitable to resistancedescribe duration time of theof the buildings flood d f t~N�J1~N�J1HW, a, aHW�.� Theconditional failure probability on the water of alevel building as well function as the can be calucalted by equation (2): r W W
µ − µ P = Φ − W HW 2 (2) fail σ 2 + σ W HW
PROBABILISTIC FLOOD HAZARD ANALYSIS
As the location of the NPP Goesgen-Daeniken is located at the water shed downstream of a dam, flooding of the site area can only occur on case of extreme river flows in the old branch of the river Aare while in normal situations the upper channel of the hydropower station Goesgen may ingest large outlet flows below the upstream weir, bypassing the Goesgen site. The river flow at this weir is therefore taken as the primary hazard parameter in the analysis. As the nearest measurement station of river flows is located in Murgenthal even further upstream of the weir in question, the river flow at the weir is calculated as the sum of the incoming flow at the measurement station in Murgenthal HQMurgenthal and additional inflows on the river path from Murgenthal to the weir, which is located in
Winznau ∆QWinznau:
247 NEA/CSNI/R(2014)9
HQ = Q + ∆Q − Q (3) KKG Murgenthal Winznau OW
with QOW being the flow rate into the canal. Based on the assessment of the drain basin between Murgenthal and Winznau an evaluating past high river events a simplified estimation formula was found:
∆QWinznau ≈ 0.073QMurgenthal (4)
As the flow into the upper canal is also dependant on the hydropower station Goesgen and its availablity AVHydro and being V the probability of plugging of the hydropower station Goesgen, the following model has been used to quantify the flow into the upper canal: ( ) ( )( ) QOW = AVHydro NQ V1 + 1− AVHydro MQ V2 (5) with NQ being the flow rate into the hydropower station at normal conditions, MQ being the flow rate when the hydropower station is shut down. V1 and V2 are the probabilites of the hydropower station being plugged during normal operation and shut down state respectively.
RESISTANCE TIMES (FRAGILITIES) OF BUILDING FUNCTIONS IN CASE OF FLOOD
Resistance times of building functions were developed a compined experimental and analytical approach. The resistance times are maninly dependant on leak flows into the buildings dependant on water level and flow stagnation pressure. For the most important building, the bunkered emergency feedwater building ZX, the leak flow characteristics for different quality levels and types of door seals has been obtained experimentally. Figure 2 shows the leak flow characteristic (leak rate versus water level for the double doors and the total of the building (red curve) of the ZX building.
Figure 2: Leak flow characteristic of the ZX building
As the doors located at the outer boundary of the building have an opening to the outside, with increasing water level and stagnation pressure, the leak tightness of the doors have to be found to increase as well.
248 NEA/CSNI/R(2014)9
PSA RISK MODEL
As high river flow cannot only affect the plant by flooding of the plant area, it can also impact the availability of the two water intakes, located in the upper canal intake building M0 and the lower canal intake building M5. The potential impacts have been analyzed using a dependency matrix.
Table 1: State dependency matrix for water intakes
Weir Winznau Weir Winznau Upper channel Dependent Dependent state state state state state of main water of second water intake M0 intake M5 Normal Normal Open Assumed to be Available plugged Normal Normal Plugged (drift Available wood, logs) Failed open Open Open Assumed to be Available plugged Failed open Plugged (drift Open Assumed to be Available (within wood, logs) plugged design values) Failed open Plugged (drift Plugged (drift Plugged Available (within wood, logs) Failed wood, logs) design limits), open plugged for large floods
The analysis of the availably data (measurements of water levels) lead to the definition of seven flood initiating events.
As a next step, initiating events were defined in terms of a hazard curve for the primary hazard parameter river flow. The hazard curve was split into seven discrete mutually exclusive intervals, each representing an ensemble of hazard scenarios and being represented by a frequency of occurence, the associated river flow and the corresponding values for water level and area flood duration.
Table 2: Defined flood initators Initiator m3/s Average Average Probability of Water level duration (h) exceedance (1/a) HWIE1 1380 – 1480 0.08 2 1.14E-4 HWIE2 1480 – 1550 0.3 3.25 2.35E-5 HWIE3 1550 – 1600 0.45 3.9 6.79E-6 HWIE4 1600 – 1700 0.53 7.15 4.73E-6 HWIE5 1700 – 1900 0.7 10.5 1.23E-6 HWIE6 1900 – 2100 0.9 11.3 4.92E-8 HWIE7 >2100 1.5 12.5 1.74E-9
An new pretree was added to the linked event trees in the NPP Goesge-Daeniken PSA model. The failure of the top events in the tree are used as logical switches to fail the affected support system (e.g. cooling water supply from the main cooling water intakes or electrical power supply if cable trays are affected) or frontline systems (e.g. auxiliary feedwater pumps located in the turbine building). The operator actions included in this tree were quantified using the ASEP screening method [7]. Different human error probabilities (HEPs) were evaluated considering the
249 NEA/CSNI/R(2014)9
different time windows and the different complexity of tasks to be performed for the different external flood initiating events.
Figure 3: FLDET external flood pretree
Table 3: Top events in the flood pretree FLDET Top Event Describtion Comment FDLIE Switch (logical) Bypass tree for non-flood initiators WGRID Loss of offsite power Guaranteed failed for floods exceeding a river flow of 1550m3/s OAWE Operator action (oa) to protect special emergency building ZX OAZKB Oa to protect diesel building ZK02 OAZKA Oa to protect diesel building ZK01 WUL Failure of ZX drain system during external flood WZX Failure of building function during flood WZE Failureofelectrical building Lower parts of the building during high flood fail up to flood level WZM Failure of nuclearcooling Failureofall 4 redundancies water building ZM02 of nuclear service water system VE (conservative assumption) WZKB Failureofbuilding ZK02 Failureofbuses BX, BW. Building ZK02 fails before ZK02 WZKA Failure of building ZK01 Failure of buses BU, BV WZKV Failureofbuilding ZV during external flood WZAB Failureofreactor building
250 NEA/CSNI/R(2014)9
(lower level functions)
RESULTS OF RISK ANALYSIS
The PSA model for full power was quantified. It was established that the plant modifications performed or under completion lead to a significant reduction of core damage frequency and of the large early release frequency. The overall contribution of external floods to core damage frequency is in the range of 0.2% of the total core damage frequency of the plant. The contribution to large early releases is negligible (below 10-12/a) and mainly contributed to independent failures occurring concurrently with the flood impacts. External floods do essentially not affect containment isolation function.
References
[1] J.-U. Klügel, P. Vögtlin, B. Das, V. Chavez-Demoulin and D. Farshi, "Probabilistic Risk Analysis of External Floods for the NPP Goesgen," in Transactions, SMiRT 21, 6-11 November,2011, Paper ID# 662, New Delhi.
[2] KTA,, "Schutz von Kernkraftwerken gegen Hochwasser, KTA2207," KTA Unterausschuss Anlagen- und Bautechnik, Länderarbeitsgemeinschaft Wasser, 2004.
[3] UVEK, Verordnung des UVEK über die Methodik und die Randbedingungen zur Überprüfung der Kriterien für die vorläufige Ausserbetriebnahme von Kernkraftwerken, SR 732.114.5, UVEK: Bern, 2008.
[4] D. Vose, Risk Analysis: A Quantitative Guide, 3rd edition, The Atrium, Southern Gate, Chichester: John Wiley & Sons, 2008.
[5] P. Embrechts, C. Klüppelberg and T. Mikosch, Modelling Extremal Events for Insurance and Finance. New York: Springer, 1997., New York: Springer, 1997.
[6] ABS Consulting, RISKMAN for Windows, Version 14.0, Irvine, CA: ABS Consulting, 2013.
[7] A. Swain, "Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREG/CR-4772," NRC, Washington, 1987.
251 NEA/CSNI/R(2014)9
252 NEA/CSNI/R(2014)9
THE PROBABILISTIC RISK ANALYSIS OF EXTERNAL HAZARDS OF AN INTERIM STORAGE FOR SPENT NUCLEAR FUEL IN OLKILUOTO
a Tiia Puukka aTeollisuuden Voima Oyj (TVO), Eurajoki, Finland
Abstract:
Due to natural disasters occurred in the world and the experiences perceived of the Fukushima nuclear accident, the particular knowledge of the role and influence of external hazards in the safety of interim storage of spent nuclear fuel has been emphasized. For that reason it is substantial that they are included in the probabilistic risk assessment (PRA) of the interim storage facility. This is also required by the Regulatory Guides issued by The Finnish Radiation and Nuclear Safety Authority STUK. To enhance safety culture and nuclear safety in Olkiluoto, The Finnish utility Teollisuuden Voima Oyj has recently completed an analysis of external natural (seismic events are studied as a separate analysis) and unintentional human-induced risks associated with the spent fuel pool cooling and decay heat removal systems as part of the full-scope PRA study for the interim storage of spent fuel (KPA store). The analysis had four goals to achieve: (1) to determine the definition of an initiating event in the context of the KPA store, (2) to identify all potential external hazards and hazard combinations, (3) to perform a qualitative screening analysis based on frequency-strength analysis and detailed plant responses analysis and (4) to model the hazards passed the screening analysis so that model can be used as a risk analysis tool in the risk informed decision making and operating procedures. The assessment carried out included the analysis of operation procedures of decay heat removal, the study of external hazards related initiating events included in the PRA of the OL1 and OL2 nuclear power plants and their dependencies on the initiating events of the KPA store. All external hazards related initiating events were modeled using fault tree linking method. The main result and conclusion of this study was that using the screening analysis, initiating events caused by external hazards that could lead to leakage of the spent fuel pools or that could pose a threat to the integrity of the KPA store building was not identified. According to the detailed quantification the decay heat removal is the most critical safety function of the KPA store. Decay heat removal from the spent fuel pools depends on the function of the sea water system or, when necessary, on the additional water supply arrangements. Thus potential hazards originating from the sea, like oil accidents and loss of sea water accidents, may contribute to the loss of the decay heat removal systems.
Keywords: PRA, PSA, external hazards
1. INTRODUCTION
The Finnish utility Teollisuuden Voima Oyj (TVO) owns and operates two 880 MWe BWR NPP units, Olkiluoto 1 (OL1) and Olkiluoto 2 (OL2), in Finland. A third unit (OL3, 1600 MWe PWR NPP) is at present under construction at Olkiluoto. The PRA development for OL1 and OL2 units started in 1984 with Level 1 PRA model. The first complete Level 2 PRA model was finished in 1997. The first analysis of all external hazards exceeding the design basis was also completed in 1997.
TVO has recently expanded the PRA modelling with a full-scale PRA study for the interim storage facility of spent fuel (KPA store) located at the Olkiluoto plant site. The full-scale PRA study is scheduled to be finalized in the mid-term of 2013. External natural based hazards (excluding seismic events) and unintentional human-induced risks were analyzed as one part of this PRA study according to the Regulatory Guides issued by STUK [1]. Seismic events were analyzed separately as a particular element of the full-scale PRA study. Only the PRA study of natural based external hazards and unintentional human- induced risks is described in this paper.
253 NEA/CSNI/R(2014)9
The main goal of the PRA study of external hazards of the KPA store was to develop a PRA model to assess the importance of identified external events and most important accident sequences with regard to radioactive release from the KPA store. The most relevant phase in this PRA study was to create a comprehensive group of all possible and identifiable external hazards and hazard combinations at Olkiluoto site and to determine the probabilities and occurrence frequencies of these hazards. The modelling is carried out using the traditional PRA modelling methods, such as event trees and linked fault trees.
2. OF THE KPA STORE AND THE MAIN SAFETY FUNCTIONS
The KPA store is located at Olkiluoto plant site. In the KPA store, the spent fuel assemblies are stored in storage pools under water. The KPA store has been used for spent fuel storing since 1987. It was originally designed for intermediate storing of spent fuel from OL1/OL2 NPPs and it included six pools (three fuel storage pools, one handling and evacuation pool, one loading pool and one transfer channel). However, the extension of operating time for the OL1/OL2 NPPs from 40 years to 60 years and the upcoming need for intermediate fuel storing from the OL3 NPP requires extension of the current storage capacity of the KPA store. Original spent fuel storing capacity is currently being extended with three new fuel storage pools. The extension is scheduled to be completed by the end of 2013.
The KPA store building (Figure 1) consists of three different compartments: reception, storage and process and control compartment. In addition, KPA store includes a separate sea water pump station building and tunnels and pipelines required to connect the sea water pump station and the KPA store building. Sea water is used for ultimate heat sink in the spent fuel pool cooling.
Figure 1. A cross section of the KPA store building.
The most relevant safety function of the KPA store is to ensure the spent fuel pool cooling. The safety task of the spent fuel pool cooling system is to ensure the removal of residual heat generated in spent fuel by maintaining adequate cooling of the storage pools, treatment- and evacuation pool and transfer pool during fuel transfers. The residual heat is transferred into the sea via intermediate cooling system. The residual heat removal can also be carried out by boiling the coolant water with additional piping installed as one
254 NEA/CSNI/R(2014)9
part of the safety improvement actions based on the lessons learnt in Fukushima. The piping can be used to add makeup water to pools by connecting water sources both inside and outside the KPA store. In case of emergency, it will be possible to use fire hydrants or fire trucks to feed auxiliary makeup water to the KPA store pools.
3. THE IMPLEMENTATION OF THE EXTERNAL HAZARDS PRA
3.1. The scope of the PRA analysis
In the PRA analysis of external hazards (and all other initiating events) a certain kind of average situation in the KPA store was assumed. In this average situation the residual heat generated in a spent fuel storage pool was 500 kW. The analysis of external hazards was limited to the static state including spent fuel handling and storage. Fuel transportations from the power plant units to the KPA store ware not included into this study.
Based on the results of criticality safety analysis carried out to determine the success criteria for PRA modelling, the current measures for criticality safety of the KPA store covers all the expected initiating events and subcriticality is ensured in all identified accident scenarios. The coolant water inventory of spent fuel pools was calculated in the case of long-term loss of fuel pool cooling. The calculations were carried out by VTT [2]. According to these calculations the estimated time span (time after the loss of fuel pool cooling) for the fuel pool boiling is 6 days and for the fuel uncover (radioactive release) 36 days.
3.2. Identification and screening of the external hazards
From the point of view that the risk of fuel damage and large release is low at the KPA store, even very rarely occurring (frequency above the level of 1E-08) external hazards may pose a significant risk contributions through initiating events that can affect the safety functions of the KPA store. Therefore, the aim of the identification of potential external hazards was to create a comprehensive list of external hazards (originated from the air, ground or water) to be analyzed in the screening process. All together 62 different external hazards were identified (25 air based hazards, 15 ground based hazards, 18 water based hazards and four hazard combinations).
In the PRA study, a set of conservative screening criteria was formulated to minimize the possibility of omitting significant risk contributors while reducing the amount of analysis to reasonable volume. All identified potential external hazards needed to be either screened out by using defined screening criteria or analyzed more detailed [3]. The set of screening criteria consisted of six criteria commonly used in the PRA analyses (Table 1).
Table 1. Screening criteria [4].
Criterion Description C1 The hazard is of equal or lesser damage potential than the events for which the plant has been designed. C2 The hazard has a significantly lower mean frequency of occurrence than other events and could not result in worse consequences than those events. C3 The event cannot occur close enough to the plant to affect it. C4 The event is included in the definition of another event [5]. C5 The anticipation time of the event - is more than the time specified to be needed for precautions, or, - the increase rate of the strength of the event is low enough for carrying out the precautions preplanned [6]. C6 The event is not included to the scope of this thesis. The event is studied separately.
255 NEA/CSNI/R(2014)9
3.3. Initiating events
Only initiating event loss of residual heat removal was included in the PRA-model. Leakages from the storage pools were screened out, because possible events leading to pool leakages were not identified during the identification and screening process of the external hazards. Table 2 shows the external hazards initiating events modelled in the PRA model of the KPA store.
Table 2. External hazards initiating events modelled in the PRA model of the KPA store.
External event Description Frequency (1/year) Y.WEA-LI/RHR/AC- Lightning: Loss of the control system of division A or C 8.00E-08 SIGN Y.WEA-SU/RHR/AC Frazil ice: Loss of RHR chain and total loss sea water 3.3E-04 Organic material in sea water:Lossof RHR chain and total loss of sea Y.WEA-ML/RHR/2 7.78E-07 water
According to the separate system recovery and dependence analysis, the KPA store has common dependencies with the OL1 NPP unit (e.g. make-up water distribution dependencies). A simultaneous initiating event at OL1 NPP and KPA store (Table 3) increases the risk of radioactive release from the KPA store. Therefore, the PRA of the KPA store includes also external hazard event scenarios leading simultaneously to initiating events in the KPA store and OL1 NPP e.g. the oil accident situation (WEA- OS/TF).
Table 3. External hazard event scenarios leading simultaneously to initiating events in the KPA store and OL1 NPP.
External event Description Frequency [in KPA] (1/year) WEA- MUSSELS: drifted into theintakechannel.Lossofoff-sitepower and 1.03E-6 MT/TE/234 total loss of sea water. WEA- MUSSELS: drifted into theintakechannel.Lossofoff-sitepower and 6.76E-7 MT/TE/34/ partial loss of sea water. WEA- MUSSELS: in the discharge channel. Loss of condenser and feed 3.90E-4 MP/TF/AC water. Loss of sea water (divisions A and C). WEA- MUSSELS: in the discharge channel. Loss of condenser and feed 3.90E-4 MP/TF/BD water. Loss of sea water (divisions B and D). WEA-MT/TF/2 ALGAE: drifted into the intake channel. Loss of condenser and feed 7.78E-7 water. Partial loss of sea water. WEA- ALGAE: drifted into the intake channel. Loss of condenser and feed 1.87E-6 MT/TF/234 water. Total loss of sea water. WEA- ALGAE: drifted into the intake channel. Loss of condenser and feed 1.92E-6 MT/TF/34 water. Partial loss of sea water. WEA-OS/TF OIL: drifted into the intake channel. Loss of condenser and feed water. 2.67E-5 Total loss of sea water. WEA- FRAZIL ICE: Loss of condenser and feed water. Total loss of sea 1.09E-5 SU/TF/ABCD water. WEA- FRAZIL ICE: Loss of condenser and feed water. Total loss of sea 1.92E-5 SU/TF/AC water. WEA- FRAZIL ICE: Loss of condenser and feed water. Total loss of sea 6.26E-4 SU/TF/BD water.
256 NEA/CSNI/R(2014)9
3.4. Event trees
Because possible external events leading to pool leakages were not identified during the analysis, only event trees for loss of residual heat removal were included in the PRA model. The event trees are based on the accident progression and KPA store response determining the accident sequence frequencies for the two end-states: (1) the boiling of coolant in the fuel storage pools; and (2) the spent fuel uncovery leading to radioactive release.
According to the accident progression calculations performed by VTT, the event tree with the end-state of pool boiling (Figure 2) has a time span of 6 days. The residual heat removal chain of the KPA store has two-redundant systems (one in operation mode, one in standby mode) and one RHR-chain is sufficient for proper residual heat removal.
The initiating event is defined as loss of the operating residual heat removal chain. If for some reason both RHR-chains are lost, auxiliary makeup water can be supplied to storage pools. Auxiliary makeup water can be supplied to the pools with three different ways: (1) with permanent straight connection from the OL1 NPP demineralized water tanks, (2) using additional trains connected to the heat removal chain or (3) by using fire hydrants. Only one of these alternative systems is needed to prevent the pools from boiling. If all auxiliary water systems are lost, the consequence is pool boiling within 6 days [7]. External hazard events that can cause initiating events only in the KPA store (Table 2) were modelled into this event tree.
Figure 2. The event tree for pool boiling.
RHRRHR/1st/1st RHR/2nd Demi-wa Addition Fire Hyd chain | chain | ter | al trains rants | |
RHR RH DEMI ADDI FIRE Consequences R
OK
OK
OK
BOILING
The event tree for radioactive release with the end-state of uncovered fuel assemblies (Figure 3) has a time span of 36 days. Initiating events are scenarios leading simultaneously initiating events in the KPA store (loss of operating residual heat removal chain) and OL1 NPP. These initiating events are external natural hazards (described in table 3) or earthquakes.
The event tree considers the same systems for residual heat removal and auxiliary water supplies modelled in the pool boiling event tree. In addition, the event tree takes into account the possibility to recover safety systems because long period of time before the fuel uncovery. The worst accident sequence leads to radioactive release, which can occur within 36 days if after all the recovery actions have failed [7].
257 NEA/CSNI/R(2014)9
Figure 3. The event tree for radioactive release.
RHRRHR/1st/1st RHR/2nd Demi-wa Additiona Fire Hydr Recovery Recovery Recovery chain | chain | ter | l trains | ants | /Demi-wa /Add. tra /RHR-cha ter | ins | ins |
RHR RHR DEMI ADDI FIRE REC REC REC Consequences
OK
OK
OK
RHR OK
WATER LEVEL OK
RHR OK
WATER LEVEL OK
RELEASE
4. RESULTS AND CONCLUSIONS
Although the PRA study of external hazards of the KPA store has been completed, the final work to complete the full-scope PRA analysis is still on-going. The PRA for KPA store will be finalized in mid- term of year 2013. Based on the results there will be actions to improve the safety of the KPA store. Based on the external hazards analysis, some conclusion can be made.
All together 62 different potential external hazards were identified and 53 of them passed the screening analysis. Following nine hazards were quantified in detail:
- Strong wind
- High air temperature
- Low air temperature
- Lightning
- Low sea water level
- High sea water level
- Frazil ice
258 NEA/CSNI/R(2014)9
- Organic material in sea water
- Solid or fluid impurities from ship release (e.g. large oil spills)
According to the results of the detailed quantification of the above mentioned hazards, only lightning, frazil ice and events with organic material in the water are relevant to model in the PRA model of the KPA store.
Based on the detailed quantification it was found out that the situation of high sea water level could have significant impact on the risk of loss of spent fuel cooling capacity because of the relatively low location of the sea water pump motors. This was also revealed earlier in the EU-Stress report for the Olkiluoto NPP carried out after the accident in Fukushima [8]. During the initiating event frequency assessment it appeared that the probability of sea water level (N60 system) above the design basis safety level of the KPA store (+2.5 m) is at most 1E-08 [4]. Based on these results the sea water pump motors will be lifted up to level +3.5 m.
The role and influence of lightning strikes in the usability of equipments is rather uncertainly known. Especially the equipment tolerance against overvoltage could be useful to be known better. Overvoltage protectors could be used more widely in KPA store to protect the important cable glands against the inducing voltage so that the potential difference could not pass to the switchboards or electrical equipments. That is why the lightning events are modelled in the PRA model of the KPA store even though the frequency of lightning strikes is rather low. The lightning protection of the KPA store is performed using potential alignment by connecting the metallic parts of the building together. The metallic parts form a Faraday cage whose performance is difficult to predict. A ball lightning may penetrate into the Faraday cage. In Olkiluoto, the lightning protection includes also that the electrical equipment and cables are located at least 0.3 m away from the walls. It is difficult to estimate whether the safety distance is sufficient or not.
Based on the PRA analysis the preparedness to prevent the effects of possible oil accidents originating from the sea can be considered to be at a sufficient level in Olkiluoto. However, regardless of the well designed countermeasures there are no operating instructions against the situation that oil has already drifted into the sea water system and reduces the capacity of spent fuel cooling systems of the KPA store. That is why TVO has contracted out a detailed study of oil accidents and possible effects that oil can have on heat exchangers, pumps or screens and how this equipment can be purified after the oil exposure. The operating instructions will be established according to the results of this study.
One of the main results of the external hazards analysis was that initiating events causing pool leakages were not identified. Based on this result (and the results of separate seismic analysis) the PRA of the KPA store includes event trees for storage pool leakages but they are not modelled in the PRA because of very low probability. The KPA store has significant dependencies on the safety systems of OL1 NPP. Based on the PRA analysis, one identified accident scenario is such that initiating event would occur for both OL1 NPP and KPA store simultaneously.
The frequency of large release from the KPA store according to the PRA model at the end of May 2013 (model version PRAISE-IE HTUU8) is 1.9E-10 per year. The contribution of risks of the release frequency is shown in figure 4. It can be seen that earthquakes (frequency 1.84E-10) cover some 99 % of the total large release frequency. External hazards (initiating events leading simultaneously initiating events in the KPA store and OL1 NPP, frequency 1.5.E-12) cover only 1 % of the total large release frequency. It seems that external hazard events that can cause initiating events only in the KPA store (Table 2) did not have
259 NEA/CSNI/R(2014)9
relevant impact in the total release frequency. The worst case consequence of these events may only be the pool coolant boiling but radioactive releases cannot be formed.
Figure 4.Contribution of risks of large release.
External hazards 1,51E‐12 1/year 1 %
Earthquakes 1,84E‐10 1/year 99 %
5. UNCERTAINTY REVIEW
The PRA analysis of this thesis provides a lot of uncertainties. Identification of external hazards related risks and determination of the screening criteria can have risk underestimating uncertainties because there is no certainty that all potential risks have been identified. Evaluation of the initiating event frequencies of the external hazards is fraught with significant uncertainties. In Finland (or in some other comparable countries) the effectiveness of very extreme weather phenomena discussed in the PRA of external hazards of the KPA store, such as the high sea water temperatures, has not been witnessed. This is why in many cases the determination of the effects that these kind of rare events can have, had to be made without any measured site-specific data.
Evaluation of the external event frequencies is mostly based on the extrapolation in which the selection of a distribution type has high significance. The accessible meteorological observation data is gathered from relatively short time period in order to assess the return periods of weather related phenomena. Climate change contributes to the proliferation of extreme weather related hazards. Verifications between different kinds of distribution fittings can be more than decades.
One uncertainty factor related to the external hazard frequencies and PRA analysis is the preparedness of the plant- and operating personnel against the external hazards. The preparedness and countermeasures
260 NEA/CSNI/R(2014)9
may at least apparently affect to the occurrence frequencies of some hazards. Certain individual hazards have rarely instantaneous effects on the plant site of the KPA store and in the Olkiluoto region.
6. REFERENCES
[1] The Finnish Radiation and Nuclear Safety Authority STUK. Guide YVL 2.8 Probabilistic safety analysis in safety management of nuclear power plants. Radiation and Nuclear Safety Authority, Helsinki, 2003.
[2] Ikonen K., Könönen N. & Lindholm I. Source term categories for PRA purposes of interim spent fuel storage, VTT research report VTT-CR-09150-11, 2012. [Confidential]
[3] ASME/ANS RA-Sa-2009. Standard for Level 1 / Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications. The American Society of Mechanical Engineers, New York, 2009.
[4] Puukka, T. The probabilistic risk analysis of external hazards of an interim storage for spent nuclear fuel. Master's Thesis, 2012.
[5] U.S. Nuclear Regulatory Commission. PRA Procedures Guide - A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants. NUREG/CR-2300, U.S. Nuclear Regulatory Commission, Washington, 1983.
[6] Knochenhauer, M. & Louko, P. Guidance for External Event Analysis. NPSAG 2003. SKI Research NPSAG 2003, Swedish Nuclear Safety Authority SKI, Sweden, 2003.
[7] Tuulensuu, H & Helminen, A. Probabilistic risk analysis for the interim spent fuel storage. Presentation in the Nordic PSA Conference – Castle Meeting 2013.
[8] Viitanen P. EU Stress test for Olkiluoto NPP - Licensee report, 28.10.2011
261 NEA/CSNI/R(2014)9
262 NEA/CSNI/R(2014)9
EXTERNAL EVENTS ANALYSIS IN PSA STUDIES FOR CZECH NPPS
*) *) **) ***) *) *) Holy J. , Hustak S. , Hladky M. , Mlady O. , Kolar L. , Jaros M. *) ÚJV Řež, a. s., Hlavni 130, 250 68, Husinec-Rez, Czech Republic **) NPP Dukovany, ***) NPP Temelin
Abstract
The purpose of the paper is to summarize current status of natural external hazards analysis in the PSA projects maintained in Czech Republic for both Czech NPPs – Dukovany and Temelin. The focus of the presentation is put upon the basic milestones in external event analysis effort – identification of external hazards important for Czech NPPs sites, screening out of the irrelevant hazards, modeling of plant response to the initiating events, including the basic activities regarding vulnerability and fragility analysis (supported with on-site analysis), quantification of accident sequences, interpretation of results and development of measures decreasing external events risk.
The following external hazards are discussed in the paper, which have been addressed during several last years in PSA projects for Czech NPPs: 1)seismicity, 2)extremely low temperature 3)extremely high temperature 4)extreme wind 5)extreme precipitation (water, snow) 6)transport of dangerous substances (as an example of man-made hazard with some differences identified in comparison with natural hazards) 7)other hazards, which are not considered as very important for Czech NPPs, were screened out in the initial phase of the analysis, but are known as potential problem areas abroad.
The paper is a result of coordinated effort with participation of experts and staff from engineering support organization UJV Rez, a.s. and NPPs located in Czech Republic – Dukovany and Temelin.
1. Introduction – brief history of PSA studies for npps in Czech Republic and the part of external events risk analysis in them
There are two NPPs in Czech Republic and PSA projects are “operated” for both of them for a long time.
The PSA study for NPP Dukovany was originated at the very beginning of nineties, last century. The full power model for internal events was developed in the first half of nineties, followed by the low power and shutdown and Level-2 model. In late nineties, a Living PSA project for NPP Dukovany was started, providing room for every year’s plant PSA up-date taking into considerations the most up-to-date results of supporting (deterministic) safety analyses as well as all modifications in plant design and operation.
In the 1998-2004 time period, external events risk analysis methodology was developed in specific projects sponsored by Czech Ministry of Industry and Trade (MPO). The idea was to carry out a know-how transfer from advanced PSA studies from abroad and to adopt the new methodology for plant specific analysis taking into consideration specific design and operation conditions of Czech NPPs with VVER reactors. The examples of the developed methodologies (in Czech) can be [1], [2].
263 NEA/CSNI/R(2014)9
In 2008, new comprehensive external risk analysis started in frame of NPP Dukovany Living PSA project, which has continued by now. This analysis is described more in detail in Section 2 of this paper.
The first analysis of man-originated external risk in Czech republic, which covered the very first identification and screening of scenarios with man causing unintentionally the risk event, was performed by small private company in [3]. On the base of this analysis, UJV specialists carried out risk analysis [4] for those scenarios, which had not been screened out in the previous analysis. In 2010, 2011 plane crash risk analysis for NPP Dukovany was up-dated. Similar analysis was carried out for the site of Research reactor LVR-15 in UJV Rez, a. s.
The original probabilistic assessment of the Temelin NPP was developed in 1993 – 1996. The PSA project of the Temelin included Level 1 PSA, both for at power and for low-power states, , and the evaluation of risk, fires, floods, seismic events and other external events. Level 2 PSA for NPP Temelin was part of the project.
In 2003, up-date of the original PSA analyses of the Temelin NPP was completed, based on current status of the new power plant during its commissioning. This up-date represented the most recent knowledge on the plant's response to emergency situations, current design, and operational conditions after the implementation of many safety improvements.
Since that time, NPP Temelin PSA model has been updated as required by the relevant guiding documentation. In 2005, Temelin PSA underwent external peer review from regulatory body side with the aim to review PSA models applicability for various risk informed applications, including plant configuration risk monitoring.
In 2010, plant specific operational reliability data were used, for the first time, to replace the originally used generic data in the process of estimation of PSA parameters for selected component failure rates and initiating event frequencies. The risk impact of other external events (OEE), i.e. external events other than seismic events, internal fires and internal floods, on the level of plant safety was then evaluated in the frame of Temelin NPP PSA Project. As a result of this effort, the total CDF decreased slightly, providing evidence that generic data used in the original set of PSA parameters had been selected carefully and adequately in conservative manner.
2. External events risk analysis in the PSA study for NPP Dukovany
In 2008, first screening and analysis of possible accident scenarios was carried out. In this analysis, identification and selection of external events was made on the base of limited list of external hazards, according to the IAEA document [5]. The estimations of events occurrence frequencies and equipment fragility parameters were based on the information presented in NPP Dukovany Operational safety report. Gumbel distribution was used for modeling of uncertainty of extreme events occurrence.
The following natural external hazards have been found potentially important for NPP Dukovany risk profile in the analysis:
abrasive storm
extremely high temperature
extremely low temperature
264 NEA/CSNI/R(2014)9
extreme snow
tornadoes
extreme wind.
The following external hazards were screened out:
landslide (neglected due to low IE frequency)
river flood (neglected due to low risk)
extreme rain precipitation (neglected due to low risk, but the analysis will be up-dated in close future in connection with new information presented in currently developed plant procedure defining crew response to external events occurrence based on stress tests evaluation)
hail (neglected due to low risk)
ice cover (neglected due to low risk, however this analysis maybe up-dated in close future with changed assumption regarding frequency of the event of critical intensity)
tropical cyclones (neglected due to low IE frequency)
lightning bolt(neglected due to low risk)
meteorite strike (neglected due to low frequency).
In the more recent time period (2010-2013), some previous external events risk analyses were refined and up-dated on the base of new assumptions, information, data and changes in plant design and operation. The following analyses have been carried out, for example:
verification of previous estimation of IE frequencies for selected important external events (extreme wind, extreme snow – in 2010)
detailed analyses of conditions and parameters of selected plant response scenarios to external events (primary and secondary coolant availability, time windows for operators’ actions – in 2011, 2012, thermo-hydraulic analyses of service water temperature in selected scenarios, analyses of coolant availability for secondary circuit Bleed&Feed cooldown scenario)
comprehensive analyses of vulnerability of constructions, buildings and structures (2010, 2012), turbine hall vulnerability analysis for extreme wind and seismic event, seismic vulnerability of other buildings (HZS, central pumping station, cooling water, etc.)
new up-date of probabilistic risk analysis for selected events (extremely high temperature, extreme snow – in 2012)
revision of the past selection and screening of external hazards for detailed analysis by means of new EPRI methodology (list of 66 external hazards used, proposal for more detailed analysis and modeling of the event „ extreme rain precipitation “, proposal for verification of consequences of the event „Extreme ice cover“.
265 NEA/CSNI/R(2014)9
Recently, new specific challenge connected with identification and screening part of the analysis has been evaluation of the potential for contemporary occurrence of two or more external hazard phenomena. In case of NPP Dukovany, a matrix of all possible combinations of two external hazards was used in the process of identification of relevant combinations of external events. The following combinations were found as relevant and possibly important:
extreme wind x snow storm, heavy snow
extreme wind x extremely high temperature.
Due to complexity, comprehensiveness and resources needed, NPP Dukovany seismic risk analysis was carried out in specific projects, aside from the remaining external hazards. The methodology, including case studies, was prepared during relatively long term period (2000-2009) in two steps:
first, a set of methodological approaches [10], addressing individual areas of seismic risk analysis in general, was developed in frame of specific Czech Ministry of Industry and Commerce project oriented to safety of NPP operation
secondly, specific methodological manual [11] was developed on the base of previous outputs addressing all steps of seismic risk analysis for concrete NPP Dukovany site.
The analysis of NPP Dukovany Unit-1 seismic risk was performed during time period 2010-2012, in several revisions [12], [13] in frame of NPP Dukovany Living PSA activities. The most important design basis scenarios corresponding to the PGA values from the interval (0g, 0,1g) were specified as follows:
emergency reactor shutdown as a consequence of false signal generation
loss of external electric power supply for the unit
loss of ultimate heat sink
emergency reactor shutdown by failure of the operator under the conditions allowing standard shutdown.
For the beyond design basis PGA values, the frequency of seismic event has been found small enough to screen out the seismic event from the PSA model.
3. External events risk analysis in the PSA study for NPP Temelin
For OEE analysis, both qualitative and quantitative screening and analysis methods were used to focus on those external events that might impact the safety of plant operation. The objectives of Temelin NPP OEE analysis were as follows:
to improve understanding of plant behavior after an accident,
to understand the most likely OEEs, other than internal fire and flood accident sequences,
to identify the range of OEE contributing significantly to the overall plant risk,
to gain full understanding of the spectrum of total core damage frequency contributors,
266 NEA/CSNI/R(2014)9
to compare OEE risk to the risk from other initiating events.
Various recommendable guidelines were used for NPP Temelin OEE PSA Analysis, e.g. [5], [6], [7], [14], [15]. A successive screening process was carried out with detailed analyses being performed only for those events, which were not eliminated by the screening process. The successive screening methodology allowed applying a flexible approach, concentrating the effort only into the areas with the highest risk potential. This analysis involved the following steps:
identification of OEE candidates that may impact plant safety,
general qualitative external events screening,
plant specific qualitative and quantitative screening with supporting detailed analysis.
The initial generic list of potential OEEs was screened to eliminate irrelevant events from further consideration and to consolidate the other remaining events to the maximum extent possible. The next screening criteria, which were applied on a site specific basis, included the following postulates:
1. the event is not as severe as the plant DB defined in the plant documentation,
2. the event has been included in another event definition already,
3. the event cannot occur near the plant under concern,
4. the consequent core damage event has a site-independent frequency of 1.0E-7/year or less,
5. the event is analyzed elsewhere in the plant PSA.
In the following table, part of the original list of external hazards, which underwent the screening process, is given as an example. The source of identification of an external event and inclusion of it in the list was PRA Procedures Guide in all cases.
Table 1: Example of OEE candidates for screening in frame of NPP Temelin external events risk analysis
SCREENING EVENT REMARKS CRITERION Aircraft Impact 4 based upon plant-specific review Avalanche 3 no potential for occurrence Coastal Erosion 3 no potential for occurrence Drought 1 little effect on the ultimate heat sink Dam Failure 2 included in external flooding review Extreme Winds and Tornadoes None plant-specific review required effects on transportation accident rates Fog 2 included in the data for these events Frost 2 impacts of snow and ice govern other types of missiles dominate this Hail 2 category of events
267 NEA/CSNI/R(2014)9
SCREENING EVENT REMARKS CRITERION High, Tide, Lake Level, or River 2 included in external flooding review Stage High Summer Temperature 1 little effect on the ultimate heat sink included in the external flooding and Hurricane 2 extreme winds review Ice Cover 1 little effect on the ultimate heat sink Industrial or Military None plant-specific review required Facility Accident
In the left column of the following table, all external events, which were not screened out and were recommended for plant specific analysis, are presented. In the right column, the results of analysis are summarized in short for the individual external events.
Table 2: Results of Temelin NPP OEE analysis
EXTERNAL EVENT ANALYSIS RESULTS No direct impact. The CDF frequency was estimated Aircraft impact below 1E-7/yr. Non dominant risk level (in comparison with other IEs) Extreme winds and tornadoes estimated. More detailed analysis required. Gas pipeline leak/fire No direct impact. Insufficient supporting information at disposal at time of Industrial or military facility accident the analysis. More detailed analysis required. High risk level not indicated up to now. External fires No direct impact. May lead to LOSP.
No Impact. No potential for even considering dam(s) External floods failure due altitude difference. Transportation accidents - highway, No impact from explosions. Future analysis of potential railway, shipment toxic gas releases and spills is required.
The CDF frequency was estimated below 1E-7/yr, Turbine-generated missiles however additional, more detailed SSCs impact analysis is required for future.
Some more detailed information about the external results of external events analyses presented in the table is summarized in the following paragraphs.
Aircraft
It was found that commercial aircraft, military aircraft, and private aircraft have almost no significant impact on plant operation risk estimated in the Temelin NPP. The only potential non-negligible impact for these events would be an aircraft-induced loss of offsite power (LOSP). Such events are included in the frequency developed for the loss of offsite power initiating event (T6).
268 NEA/CSNI/R(2014)9
Natural Gas Pipeline Failure
The natural gas pipeline was found to be a sufficient distance from the safety important Temelin NPP structures to preclude significant damage to the plant in case of safety important event.
Wind/Tornadoes
The risk impact has been estimated as non-dominant. However, both the exact design criteria for the plant structures and the exact values of frequency and magnitude of extreme winds at the plant site remained in question at the time of the last analysis. Therefore, additional supporting analyses have to be performed before the risk impact of extreme wind can be finally assessed and proven to be (very) low.
Industrial Facilities
Insufficient information was available on one or more of the following items for each of the facilities in question: the kind of hazardous chemicals present, the quantity of hazardous chemicals present, the type of risks posed (explosion, toxic gas release, etc.), and the type of storage structures used. Therefore, additional information will have to be collected before the impact of industrial facilities can be assessed more in detail and proven to be (very) low.
External Fire
The only potential impact identified for external fires is the potential for a fire induced loss of offsite power as the result of the hot combustion gases causing arcing between the phases of the transmission lines. Such events are included in the frequency developed for the loss of offsite power initiating event (T6).
External Flood
Due to the fact that the Temelin plant site is located on the top of a hill at an elevation of 503 to 507 m, and the local rivers are located at an elevation of only 372 to 373 m, external flooding was found to have no impact on the safety of the plant.
Transport
The analysis of hazardous materials transported near the plant site by highway, railway, or shipping found no impact on the plant site. However, it should be noted that the evaluations made to date have not considered the potential risk to the plant from toxic gas releases. This part of analysis will have to be performed before the final statement about the risk caused by transport events is made.
Turbine Missile
While the turbine missile analysis performed to date for the PSAR has shown that there is little potential for a Unit 1 generated turbine missile to impact Unit 1, the study has neglected to evaluate a Unit 2 generated turbine missile on Unit 1. Since the two Units are located in parallel each to each other but they are not mirror images of each other, symmetry cannot be used to utilize the existing analysis. Therefore, additional analysis must be performed to determine the impact of a Unit 2 generated turbine missile on Unit 1.
269 NEA/CSNI/R(2014)9
4. Conclusions
During the last decade of development of PSA models of Czech NPPs, external events analysis has become an integral part of PSA and risk oriented decision making effort. This process started well before the Fukushima events and is continuing in coincidence with stress tests and other current activities reflecting the impact and consequences of Fukushima accident.
In the very next future, the analyses of selected external hazards will continue both at NPP Dukovany and in NPP Temelin. In NPP Dukovany case, the main goal of the analyses will be to address very important changes in plant design and operation, which are the consequences of measures taken with the goal to increase plant vulnerability against external events. It is expected that these changes and the corresponding analyses measuring the safety impact will be completely finished by 2015. In case of NPP Temelin, new external event risk analyses will be part of broad PSA Level-1 up-date planned for next years.
The first part of each analysis will consists of identification, selection/screening and preliminary analysis of external hazards, using some newly developed approaches, for example EPRI approach described in [16]. The process of gradual screening out of the external hazards irrelevant from risk point of view and development of final list of external events can be based on the following criteria:
Is the given external hazard meaningful and real for the NPP and Unit under concern?
Are the negative consequences of the given external event fast enough to lead to some risk relevant scenario?
Is the annual frequency of external event occurrence high enough to have expected risk impact?
Does the given external event mean real danger regarding overreaching the vulnerability level of safety important components, systems and structures?
Is the given external event unique (i.e. is it not contained in some other non-screened external event analyzed in the external risk study under concern)?
The second part of external risk analysis will be oriented to vulnerability, fragility and external event consequences issues and will be carried out in three steps. Step 1 will be focused on selection of potentially risk important structures, components and systems. The basic set of relevant components, systems and structures will be transferred from the PSA model of internal events for the given NPP. On the base of importance analysis, some possible subjects of vulnerability/fragility analysis will be screened out. On the other hand, the list of subjects for next analysis will have to be extended by previously (in the internal risk analysis) not considered components with non-negligible potential to be lost due to consequences of external event and to cause loss of (safety) system function. Step 2 of the next activities from this part of PSA work will be devoted to fragility analysis. Within step 3, analysis of direct and induced consequences of external event impact (direct and consequent equipment failures) will be carried out.
In the last part of the analysis, PSA models of Czech NPPs will be up-dated and quantified and the results of the analysis will be interpreted. Since the recent time period has been typical with very intensive effort in defining new design and plant operation measures addressing the issues discovered in connection with post-Fukushima (deterministic oriented activities), the room for identification of new ways how to increase plant safety just on the base of PSA will be limited. Thus, the main and still very important new goal of the PSA effort in next years (related not only to external event analysis, but with the focus put on it) will be to confirm that the new measures adopted would bring significant decreasing of plant operation risk.
270 NEA/CSNI/R(2014)9
Although the results of external events risk analysis are typical with high level of uncertainty (particularly connected with quantitative values of initiating events frequencies), these analyses mean necessary important step forward in getting realistic picture about the total risk of NPP operation, despite of the fact that a detailed guide for external events PSA modeling does not exist (in many countries, external events are still not included in the PSA models at all).
References
[1] Babic P., Hustak S., Preparation of Framework for Evaluation of External Events Risk, Czech MPO Project on Increasing of effectiveness and safety of NPP operation, Part: Probabilistic Safety Assessment, WP E03/1, December 1998
[2] Jaros M., Methodology for Evaluation of Extreme Natural Conditions, Czech MPO Project Methodological approaches to solution of the safety aspects of VVER plants operation, WP E4.1.1, December 2004
[3] Ferjencik M., PSA-1 for external events caused by human activities and operation of specific equipment inside and out of NPP Dukovany site, October 2003 (Revision 1 in 2005)
[4] Living PSA project for NPP Dukovany, Section G, External Events Caused by Human Activity, UJV Rez, a.s., 2005
[5] IAEA Safety series No. 50-P-7 „Treatment of External Hazards in Probabilistic Safety Assessment for Nuclear Power Plants“, IAEA, 1995
[6] IAEA-TECDOC-1487, Advanced nuclear plant design options to cope with external events, IAEA, 2006
[7] NUREG-1407, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities, Final Report, US NRC, Washington, June 1991
[8] American National Standard, External Events PRA Methodology, ANSI/ANS-58.21-2003, March, 2003
[9] NPP Dukovany Safety Report, Revision 2, December 2005
[10] Jirsa P., Kolar L., Holy J., Methodology of seismic PSA for NPPs, Version4, UJV Rez a.s., November 2000, ÚJV 11730T
[11] Kolar L., Methodological manual for analysis of risk caused by seismic events in NPP Dukovany site, UJV Rez a.s., October 2009
[12] Kolar L., Seismic risk analysis for NPP Dukovany, UJV Rez a.s., Revision 0, December 2010 [13] Kolar L., Seismic risk analysis for NPP Dukovany, UJV Rez a.s., Revision1, March 2012 [14] NUREG/CR-2300, “A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants,” January 1983 [15] NUREG/CR-2815, “Probabilistic Safety Analysis Procedures Guide
[16] EPRI 1022997, Identification of External Hazards for Analysis in Probabilistic Risk Assessment, December 2011
271 NEA/CSNI/R(2014)9
272 NEA/CSNI/R(2014)9
SESSION 5
SEISMIC RISK ANALYSIS
Chair: Attila Bareith C. B. Thierry SEISMIC HAZARD ASSESSMENT AND UNCERTAINTIES TREATMENT: DISCUSSION ON THE CURRENT FRENCH REGULATION, PRACTICES AND OPEN ISSUES
K. Kondo, A. Ichitsuka, M. Nishio, H. Fujimoto LEVEL-1 SEISMIC PROBABILISTIC RISK ASSESSMENT FOR A PWR PLANT
M. Nishio SEISMIC PRA OF A BWR PLANT
M. Mummert OPTIMIZATION OF SAFETY AND SEISMIC CLASSIFICATION DURING THE DESIGN STAGE OF NON-REACTOR NUCLEAR FACLITIES
O. Coman, S. Samaddar K. Hibino IMPLEMENTATION GUIDELINES FOR SEISMIC PSA
273 NEA/CSNI/R(2014)9
274 NEA/CSNI/R(2014)9
Seismic Hazard Assessment and Uncertainties Treatment: Discussion on the current French regulation, practices and open issues.
BERGE-THIERRY Catherine, CEA-Saclay, DEN, DANS, DM2S, SEMT, EMSI F-91191, France
Abstract Taking into account the seismic risk in the context of nuclear safety in France is guided by the Fundamental Safety Rule (RFS2001-01) for the assessment of seismic hazard, and by the Guide ASN/2/01 for the design rules of civil engineering structures. These two references have been updated respectively in 2001 and 2006 and validated by the Nuclear Safety Authority. The French approach is anchored on a deterministic approach. We propose to recall the principles of the methodology recommended by the RFS 2001-01, and to illustrate the advantages and limitations highlighted in recent years. Indeed, this regulatory framework is used both in the design stage and for safety reassessment of all nuclear facilities, power reactors and experimental laboratories and factories. We focus on: (i) key parameters of the approach, and their level of knowledge, (ii) key steps and principles that lead to a non-homogeneous approach between various geographic sites, depending on the seismic activity and / or knowledge, (iii) on physical phenomena (such as the geometric extension of the seismic source, the complexity of earthquake rupture on the fault plane) that are not taken into account, or for which (2D and 3D site effects, and non-linear soil behavior under strong motions), the RFS 2001-01 approach does not provide any guidance, (iv) consideration of epistemic and random uncertainties. We discuss also the probabilistic approaches widely implemented both in France as recently to establish the seismic zoning (reference for the regulation of conventional building and classified installations for the environment), used worldwide and strongly supported by the international Atomic Energy Agency references (safety guides and guidelines). The Tohoku earthquake that occurred in Japan on March 11, 2011, triggering the tsunami that itself caused the nuclear accident at Fukushima Daïchi site has resulted in the realization in France of the Complementary Safety Studies as a request of the Nuclear Safety Authority. These studies performed by nuclear operators, leading to propose a "Hard Core" of materials and organizational arrangements to ensure the control of crucial safety functions in extreme situations. The difficulties inherent in the definition of "extreme situation" in a moderate seismically country as the French metropolitan area will be illustrated and discussed. 1 Current regulation in France for Seismic Risk for NPPs
1.1 Introduction In France, the seismic risk for nuclear safety is guided by a site specific deterministic approach and two references, the first for the seismic hazard assessment, the second for the design of civil engineering and important equipments. The first regulation was the French Safety Rule “RFS 1.2.c” edited in 1981, used to define the seismic hazard, associated to the French Safety Rule “RFS V.2.g” providing the design rules. These references have been updated respectively in 2001 by the RFS 2001- 01 [1] and in 2006 by the Guide/ASN/2/01 [2]. These new references have been proposed coherently. In this presentation we focus on the seismic hazard assessment: it is important to underline that between the RFS81 and the current one (RFS 2001-01), neither the global methodology nor the uncertainties treatment has been modified: only specific points were updated or added. Up to now, the deterministic way was preferred and mainly justified as more adequate in a moderate seismic country such as French metropolitan territory. Since 2001, the RFS 2001-01 and the Guide ASN/2/01 are the reference methodologies for nuclear operators and French nuclear safety authority to assess the seismic risk for designing new plants and re-assessing existing ones.
275 NEA/CSNI/R(2014)9
1.2.RFS2001-01 methodology The full methodology is published and accessible on the website of the French Safety Authority (see [1]). Several authors already presented the basis of the methodology and the difficulties and limitations of uncertainties treatment, as epistemic and aleatory in such a way ([3], [4] and [5]). The deterministic French methodology is based on the selection of seismic scenarios. These scenarios come from the historical and instrumental seismic catalogues study. One of the improvements between the 1981 rule and the 2001 one is the complementary study on paleoevents, allowing increasing the time observation period of seismicity in the country. Seismic hazard at a site is then represented by a set of response spectra related to selected scenarios. The design is then defined (Guide ASN, [2]).
1.2.1. Global scheme of the French regulation for assessing the seismic hazard for NPP The methodology can be summarized in 6 main steps: 1. Determine the seismotectonic zonation, based on geological and seismological criteria; each zone is considered to have a homogeneous seismic potential. 2. Estimate, in these «seismotectonic zones », the characteristics of the historical and instrumental events that occured in this region. It is assumed that historical earthquakes are likely to occur in the future, with an epicenter in the most penalizing position for the site of interest.
Figure 1: IRSN seismotectonic zonations (left from [6], and right from[7] with quantification of zone boundaries uncertainty).
3. Retain, for the considered site, one or more events that produce the most penalizing effect (in terms of intensity at the site). In other words, the events are moved inside the zone they belong to as close as possible to the site, and they constitute the "Maximum Historically Probable Earthquake" (MHPE), see Figure 2. 4. A "Safe Shutdown Earthquake" (SSE) is associated to each MHPE and is obtained by increasing the MHPE magnitude by 0.5 (corresponding to an increase of 1 degree in intensity as specified in the previous 1981 safety rule).
276 NEA/CSNI/R(2014)9
5. Site effect study to characterize geotechnical and geological material properties. The RFS 2001-01 distinguish 2 site classes using the Vs 30m parameter, and under the hypothesis that the geology is 1D. In case of site effects due to geometrical an/or rheological configurations, a specific study as to be performed. The rule does not give any guidance to perform this specific study.
Figure 2: Selection of the reference earthquake and shifting it to define the MHPE (from [6]). 6. Evaluate the seismic motion (mean acceleration response spectra) related to the SSE using the attenuation relationship of Berge-Thierry et al., 2003 [8], which predicts, for a magnitude and distance couple, a pseudo-acceleration value for a wide frequency range (0.1 to 34 Hz), accounting for the soil condition (rock or soil ).
Figure 3: Final site specific seismic hazard assessment using the RFS 2001-01
If any credible paleoseismic evidence exists near the site, the associated seismic motion at the site has to be assessed, and compared to the SSE motion. Finally, the RFS indicates to verify the level of the SSE and paleoevents with respect to a minimal response spectrum (defined for the 2 soil conditions) with a PGA set at 0.1g. The minimal response spectrum is an envelope spectrum of two, a large event of 6.5 magnitude located at 40 km from the site, and a local one (4,5 at 10 km). This minimal reference is used to design structures in case of very low seismic hazard assessment. In 2000, during
277 NEA/CSNI/R(2014)9
the updating process of the RFS, this minimal level was introduced in order to conform with IAEA recommendations (see §2.10 and 2.11 of [9]) and to reduce difficulties to assess hazard in low seismicity areas (avoid time consuming expert’s debates). Figure 3 summarizes such a RFS 2001-01 site specific study, presenting all types of spectra.
1.2.2. Focus on key parameters, associated uncertainties As already presented in 2004 during the Tsukuba OECD workshop (see [3] and [4]), although there is a reference approach in the RFS 2001-01 to assess the seismic hazard at the nuclear site, its application from an expert to an other one can lead to strong different analyses. This fact is clearly related to the interpretation of the data, the way in which final hypothesis are chosen with respect to the uncertainties. Each step of the methodology is then crucial, and particularly the two first – seismotectonic zonation and characterization (in terms of intensity, magnitude, and depth) of known seismicity, because it contributes to the choice of the site reference scenarii (see[4]). Table 1 summarizes, for each step of the RFS 2001-01 approach, the key parameters, and the origine of variable SHA at the same site, depending how geological and seismological knowledge and uncertainties are converted into hazard hypothesis. Although the RFS 2001-01 contains explicit increases that are: ./ the definition of M.H.P.E. by shifting, at the most penalizing (ie close) position to site, ./ the definition of S.S.E. by increasing the magnitude by 0,5 degree, ./ the consideration of rare suspected events called 'paleoearthquakes', ./ the final comparison between SSEs and paleoevent response spectra and the Minimum spectrum scaled to 0,1g, one can easily understand that (i) the first one is depending one the zone sizes and paradoxycally much more significant for sites located in low seismic area than sites included in active seismic zones and/or located close to recognize active faults, (ii) the second one is fixed for each M.H.P.E., (iii) paleoevents allows to increase the low frequency content of the SHA (iv) Minimal Spectrum compensates the lack of knolewgde in some low seismic areas ensuring significant low and high frequency contents for the design spectrum.
1.2.3. Physical source and site complexities Due to limited knowledge on active structures in France, and especially no clear correlation between earthquakes and identified faults, the modeling of the seismic motion in the framework of regulation is simplified. The simplification corresponds to consider (i) the seismic source as a point source (ii) the seismic energy through a single parameter which is the magnitude (iii) the wave propagation through a single parameter which is the distance (iv) the site geotechnical characteristics through a site coefficient valid only for 1D geometry. The seismic motion is then evaluated using an empirical attenuation relationship. It means that complex source effects due to the extended fault plane are not explicitly accounted. Baumont et al., 2004 studied this topic, considering the case in France of a well identified seismic source to which historical and instrumental earthquakes are clearly associated, and tested this simplification. The performed tests exhibit a good conservatism of the RFS 2001-01 approach with respect to scenarios accounting for whole source complexities (ie extended source, broad-band dislocation on fault, focal mechanism, variable rupture velocity, directivity effects …).
Local site effects are accounted in the RFS 2001-01 by a site coefficient in the strong motion attenuation relation prediction. This approach is valid only for simple geometry site e.g. site presenting only vertical rheological shear wave velocity variation. Based on the Vs30m parameter two site categories are defined: the "Rock" one being for site with Vs30m upper than 800 m/s, and "Soil" sites with Vs30m between 300 to 800 m/s. The RFS 2001-01 stipulates that for low velocities sites (e.g. lower than 300 m/s) and for complex site geometries (e.g. 2D and/or 3D) a specific site study is required. In such cases the nuclear operator has to perform a dedicated site effect study to predict the strong ground motion representative of the complex behavior of soft soils and/or complex wave field propagation and modification due to resonance or trapping phenomena. In France, an despite a moderate seismicity, several nuclear or industrial sites are subjected to such "particular" site effects: it is the case in ancient glacial valleys or recent sedimentary zones. At this time, several international benchmarkings have been organized to check the capacity of scientific community to predict these
278 NEA/CSNI/R(2014)9
RFS 2001‐01 approach Key parameters & uncertainty degree (Small, Medium, Large) Related References Influence vs Site‐SHA
Seismotectonic zonation • Zone boundary: S, M, L: consensus or expert opinions. • Autran et al., 1998 (zonation for PSHA), [10] • Strong: historical and instrumental earthquakes are • Terrier et al. 2000, [11] located regarding the zonation (ie in the site‐zone, or • IRSN zonation used for deterministic SHA (see Berge‐ outside). Thierry et al., 2004 [3]and Cushing et al., 2003 [5]), • Baize et al., 2011 [7] : with potential active faults and estimated uncertainty on boundaries. • Strong: If individual active faults considered, • Active Faults identification possibility to associate past earthquakes No recent active fault map Seismicity 1) Historical catalogue (~1000 years): data scaled in Intensity : • National SISFRANCE database [12] • Various estimates for same event, due to Magnitude characterization qualitative epicentral intensity uncertainty (S,M,L), range of scale, epicentral hypothesis, choice of (I, M) uncertainty in km for epicentral location. correlation relationship. 1) Historical event • Levret 1994 [13] Use of (Intensity, magnitude, depth) empirical correlation to • Scotti et al., 2004 [14] • Baumont et Scotti, 2007 [15] for same EQ, various estimates of (I , characterize historical event • epic • Baumont & Scotti, 2011 [16] Magnitude, Depth) (…) not exhaustive lreferences 2) Instrumental recorded 2) Local magnitude reference (MLDG). Uncertainties: ~0,2 on MLDG and • Instrumental catalogue provided by CEA/LDG event 2,6 km in (Lat, long) location. Uncertainty not specified for the depth (~5km) (See Geoter, 2002, [17])
Selection of reference • driven by the « Imax on site » filter (see RFS 2001‐01) • RFS 2001‐01 Strongly related to the two previous steps (zonation & events • one or several events (not clearly specified in the RFS) – characterization of historical EQ through Intensity parameter) Should select at least close and far from the site events. Considering – or not – associated uncertainties.
Define M.H.P.E.(s) • Reference events shifted close to the site <> related with • RFS 2001‐01 Small to Strong. Fully linked to zonation and uncertainties zone boundaries & epicentral intensity assessment. consideration on (Intensity, Location) of historical events.
S.S.E(s) • (Magnitude) M.H.P.E + 0,5 • RFS 2001‐01 None
PaleoEQ • Fiability assessment of the neotectonic indice in (location, • RFS 2001‐01 • Various estimates of (Magnitude, distance to the site) Magnitude and time recurrence ) • National NEOPAL database [18] (recent deformation for same paleoevent.form an expert ot another one. and paleoearthquake evidences)
Site Effects • Site classification driven by the RFS 2001‐01 text. • RFS 2001‐01 • Consensus for 1D rock & soil sites (through RFS 2001‐ • For 1D rock and soil sites : RFS 2001‐01 method 01 guideline) • For (2D, 3D, non linear soils), not codified • Nor scientific neither methodological consensus to account for "particular site effects": expert's debates. Ground Motion pred. • median prediction of the RFS 2001‐01 relationship. • RFS 2001‐01 • None (for defined M‐hypocentral distance – site • Berge‐Thierry et al., 2003 [4] condition triplet). Table 1: detailed presentation of the scenario based RFS 2001-01 methodology steps, associated parameters, references frequently used.
279 NEA/CSNI/R(2014)9
effects, that are very complex due to their dependence with the seismic level (non consolidated soils exhibit non linear effects), their variability in frequency: moreover, it is well demonstrated that the site effects will vary depending on the azimuthally position of the source fault (in case of source close to the site). ESG 2006 focused on the Grenoble valley and a strong scattering of the results between various numerical codes appeared ([19] and [20]). Finally, at this time, there is no consensus neither in the scientific community nor in the nuclear one (e.g. including operators, technical expert and authority) to practically account for and include such complex site effects, in a coherent way with respect to structural and equipments design issues.
1.3 Link between RFS 2001-01 and Guide ASN/2/01, coherency of this safety framework Seismic risk for NPP safety is guided in France through two references, the RFS 2001-01 that proposes a methodology to assess seismic hazard and the Guide/ASN/2/01 which provides requirements and methods to design civil engineering buildings and equipments. The two texts respectively updated in 2001 and 2005 provides a coherent framework. For example, many methodological aspects described in the Guide/ASN/2/01 directly refer to the RFS 2001-01 such as: ./ the determination of design spectra as envelop of seismic hazard spectra e.g. SSE, paleoearthquake and minimal spectrum, ./ the selection of accelerograms for temporal analyses fitting criteria on seismic indicators derived from the RFS 2001-01 strong motion database used to propose the attenuation relationship to compute response spectra, ./ consideration of soil and structure interaction. Finally it is important to recall that consideration of inelastic behavior is permitted in this Guide/ASN/2/01 only for structures whose behavior requirement is the non-interaction.
Appreciation of seismic margins for NPPs does not be restricted to the level of seismic hazard assessed at the site using the RFS 2001-01, but also through others factors (SSI, structural behavior in the elastic linear domain) coming from the application of the Guide/ASN/2/01. Figure 4 illustrates the effect of the systematic consideration of inelastic behavior of structures allowed in the Eurocode 8 ([21] and [22] regulation references used in France for Risk Induced Industries such as chemical ones) in comparison with the ‘nuclear approach’, in which seismic action is not reduced (the nuclear and non nuclear plants being located at the same site). This figure demonstrates that despite an elastic design spectrum higher for non nuclear plant (ICPE black spectrum) than for the nuclear plant (SDD red spectrum), the effective seismic action used to design the structure is generally strongly lower for non nuclear plant (blue green and magenta spectra – reduction of black spectrum due to inelastic behavior coefficient) with respect to the nuclear plant (red spectrum not reduced).
2. The Tohoku, March 11, 2011 earthquake, Fukushima accident and Complementary Safety Studies in Europe and France
2.1 The March 11th 2013 Tohoku earthquake The March 11 th 2013 Tohoku earthquake, also named the Great East Japan Earthquake, magnitude 9 (Mw), was an undersea mega thrust event. It was the most powerful known earthquake ever to have hit Japan, and the fifth most powerful earthquake in the world since modern record-keeping began in 1900 [23]. The tsunami caused severe nuclear accidents at the Fukushima Daiichi Nuclear Power Plant, where the level 7 (Ines scale reference) meltdowns at three reactors occurred. The analysis of this accidental sequence demonstrated the direct role of the tsunami waves that crossed the seawall clearly insufficiently designed and destroyed diesel backup power systems. On the contrary, post seismic inspections on several Japanese NPP, and especially at the Onagawa power station which was the one closest to the Tohoku earthquake epicenter, observed that these sites remained largely undamaged. At Onagawa the plant's 3 reactors automatically shut down without damage and all safety systems functioned as designed. The plant's 14 meter high seawall successfully withstood the tsunami [24]. It should be noticed that such observations were already done, after the 2007 Chuetsu Oki Earthquake, which stroke the largest NPP in the world, the Kashiwazaki Kariwa plant. This event was quite moderate relatively the Tohoku one, with a 6,8 Mw magnitude, but it occurred very close to the
280 NEA/CSNI/R(2014)9
site (few kilometers): all the strong motions recorded at the KK site were systematically higher than the design levels. Nevertheless, all the operating reactors shot down automatically, and the whole NPP site, civil engineering buildings and safety related equipments maintained their integrity. The research and nuclear communities were, through international programs (supported by the IAEA – EBP project) involved in the understanding of such good behavior for structures and components, identifying and quantifying the seismic margins (coming essentially from soil and structure interactions and design and constructive dispositions).
Fi gure 4 (after A. Langeoire, CEA 2013): Comparison, at the same site, of effective seismic actions used to design structures ('Chemical plant') using Eurocode 8 which allows reduction of elastic response spectrum through inelastic behavior coefficients (q >1) and a nuclear plant using the Guide/ASN/2/01 which requires to consider elastic spectrum. This research continued when the Tohoku EQ occurred. This NCOE research program is now over and a Tecdoc is currently being reviewing at the IAEA. The NCOE and associated nuclear plant satisfying behavior are mentioned in the present discussion, in order to underline that nuclear safety with respect to the seismic aggression is not ensure only by an accurate assessment of the hazard itself, including sufficient margins (by considering conservative assumptions and/or propagating a large amount of uncertainties, either through scenario based approach or probabilistic one), but also by the rules, hypothesis and methods used to design and construct nuclear buildings and equipments. Nuclear seismic safety is a continuous process from hazard to vulnerability.
2.2 Consequences of Fukushima Nuclear Accident on French Nuclear Plants Due to the clear underestimation of the seismic and tsunami hazards in Japan (such Magnitude 9 earthquake was not expected at this location, and then not considered in the SHA), and at least at Fukushima Daichi NPP an insufficient design of the seawall, the scientific community and the nuclear safety authorities have rapidly and world widely committed studies, in order to assess the capacity of the existing NPP to sustain seismic levels higher than the one considered for design and/or during safety reassessment reviews. To maximize consistency between the European and French approaches, the drafting of the French specifications for the complementary safety assessments was based on the European specifications drawn up by the Western European Nuclear Regulators Association (WENRA) as well as with the ENSREG [25]. The first complementary studies conducted operators and nuclear authority to define the ‘hard core concept’ of the NPP, as being a set of engineering buildings, equipments and organizations processes that will significantly increase the seismic safety of the plant, allowing it sustaining extreme natural events. In this context of ‘Hard Core’ definition, the Safety authority asked all the operators to propose, for each NPP, a ‘Hard Core seismic Level’ ‘significantly higher than seismic level currently defined in the regulation’. The current regulation to
281 NEA/CSNI/R(2014)9
assess the seismic hazard for NPP is presented in the first section of present article, and is the deterministic RFS 2001-01. Then, in 2013, operators proposed their Hard Core seismic levels mainly based on a flat rate increase of the Safe ShutDown Level (combined with paleoevent if any), homogeneous on the whole frequency band. These Hard Core Levels are still under instruction by the IRSN, technical support of the ASN, which recently asked the operators to complete their justifications by performing probabilistic seismic hazard assessments (PSHA) to associated return periods to the Hard Core Seismic Levels. The requirement is that this return period should be ‘significantly higher than the 10-4 return period currently being the reference for NPP design’, conforming the ENSREG recommendation resulting from the European Peer review [26]. These probabilistic based arguments are currently being performing by the operators. The following section briefly presents the French experience in PSHA and the key steps, parameters and uncertainties that will be necessarily discussed in the coming months.
2.3 French Experience in PSHA Due to its traditional use of ‘deterministic approach’ to assess the seismic hazard for the NPP, the French nuclear community is variably involved in PSHA. In fact, the recent PSHA on the whole French territory was performed in the 2000’s to update the seismic zonation (mandatory for conventional buildings). Before this complete and state of the art PSHA study (Geoter, 2002 [17]), few PSHA were calculated (Bottard, 1990 [27], EPAS 2000 [28], Marin et al., 2004 [29]), and in these previous works, the uncertainties where not propagated. Nowadays, a PSHA whatever its level (in reference to the SSHAC procedure [32]) needs propagating epistemic and aleatory uncertainties. As summarized in the table 2, only 2 recent studies could be considered in France (global territory scale) as real PSHA following these uncertainties propagation criterion, the Geoter 2002 [17] and the AFPS 2006 [30]. Nevertheless these studies are ‘regional’ not site specific. In France, it seems that only one site specific PSHA has been published (Clement et al, 2004 [31]). In comparison, we can mention the Swiss nuclear experience, which identified in the 1990’s, the necessity to update its SHA to account for US improvements. The Table 2 summarizes the Swiss PSHA PEGASOS project which is an ambitious SSHAC Level 4 (see [32]).
1990-1997 Federal Nuclear Safety Inspectorate (HSK) identified the need to update the seismic hazard assessments for Swiss NPPS, as not compliant any more with the state-of-the-art (progress in US)
Dec. 1998 Swiss regulator started development of « PSHA guidelines » (i) based on modern US recommendations (ii) beyond international state of the art
June 1999 Swiss regulator requested Swiss NPP operators to perform a PSHA that complies with SSHAC Level 4
March 2000 NPP operators submitted first draft project plan: »PEGASOS »
2001-2004 Project settlement (i) Project lead NAGRA (ii) 13 workshops, (ii) 17 « elicitation meetings » (iii) Participatory peer review by HSK
Nov 2004 PEGASOS review meeting: specialists meeting, Baden
2004-2006 Review by the utilities and performance several additionnal studies
2007 Planning of a refinement study: Pegasos Refinement
2008-2013 Realization Pegasos refinement project (end May 2013)
Table2: Historical development of the Swiss Nuclear SSHAC Level 4 PSHA.
Even in the frame of the Complementary Studies and the Hard Core Seismic Levels justification the 4th Level SSHAC PSHA is clearly not an objective for the French Nuclear actors, the PEGASOS project should be necessarily a reference, because it faced classical scientific key questions associated to a PSHA performed in a moderate seismic area (choice of GMPE’s, of maximal magnitude ...).
282 NEA/CSNI/R(2014)9
Table 3 summarizes PSHA studies recently published in France. Nowadays, EPAS 2000 [28] and Marin et al., 2004 [29] are not considered as PSHA in reference to international state of the art and common practice: indeed in these two studies, even the Cornell approach and Gutenberg-Richter model are used [33], neither epistemic nor aleatory uncertainties are propagated.
(a) EPAS 2001 (b) Marin et al., 2004
(c) GEOTER, 2002 (d) AFPS, 2006
Table 3: (a) EPAS 2000 [28], no uncertainty propagation – (b) Marin et al. 2004 [29] no uncertainty propagation (c) Geoter 2002 [17], PSHA performed in the framework of seismic zonation revision for Eurocodes application, epistemic and aleatory uncertainties propagated (d) Work performed by AFPS group in 2006 [29], epistemic and aleatory uncertainties propagated. (a, b, c and d maps present PGA median value at Tr 475y). Differences are explained in table 4.
Differences between maps (c) and (d) come from hypothesis and obviously particularly amount of uncertainties that are ‘injected’ in the computation; for example, in the Geoter 2002 [17] study, strong motion prediction is performed considering the whole dispersion (ie +- ∞), whereas in AFPS 2006 [29] 2are considered (see table 4 for main differences between studies "b, c and d" of table 3). The assessment of seismic hazard using state of the art probabilistic methodology to appreciate the significant character of ‘hard core’ seismic levels requires to define several parameters and models, and to determine uncertainties. All steps of any PSHA are presented and commented in Table 5, and in the last column a comparison with DSHA is provided. As highlighted in table 5, basic data, knowledge and lack of information are common for PSHA or DSHA. The treatment of aleatory uncertainty (associated to the prediction of ground motion and quantified through the of GMPE’s) fundamentally distinguish these two approaches, and the consideration of the recurrence of seismic events in the PSHA. Indeed the epistemic uncertainties can be integrated in DSHA as in PSHA through logic trees [37]. If it is clear that the main advantage of probabilistic method is to associate
283 NEA/CSNI/R(2014)9
probabilities to the results, it needs to be underlined the numerous steps that have to be treated, the difficulty and the lack of consensus in the international community to recommend practice in the integration of ground motions prediction uncertainty (ie ) which is the key parameter that strongly influences PSHA results, in particular increasing the hazard especially for long return periods.
ZONATION SEISMICITY MODEL ATTENUATION MODEL (b) Marin et al., One Zonation Gutenberg -Richter : One relationship 2004 (i) no Maximal Magnitude not integrated PGA Tr 475 y (historical max only) (ii) no uncertainty on and (c) Geoter 2002 3 hypothesis integrated: Gutenberg -Richter : 2 « crustal » GMPEs
PGA & PSA (i) EPAS (ii) Simplified (i) Mmax (ii) uncertainty (on 2 « subduction » GMPEs EPAS (iii) No zonation and of GR and on depth) integrated on ∞ Tr 100, 475, 975, (Woo) 1975y. (d) AFPS 2006 Idem as Geoter 2002 (i) Introduce Magnitude scale Geoter 2002 and additional conversions (ii) GR & GMPE’s (based on weak PGA & PSA Uncertainties idem as Geoter motions) 2002 Tr 100, 475, 975, 2truncation and 1975y. reduction of Table 4: Example of differences on the treatment of epistemic and aleotory uncertainties in Marin et al. 2004, Geoter 2002 and AFPS 2006: these choices explain the differences observed on Table 3 on predicted hazard.
Finally, in the context of the Complementary Safety Studies, several key steps and parameters should be carefully discussed in order to provide credible information (ie seismic level for fixed return period). Figure 5 finally summarizes the decisions that operators and regulators have to take in performing PSHA, defining the target return period associated to the seismic safety required level, and what level of confidence in the predicted hazard is needed to meet the required safety level: the consideration of safety issues of the NPP, as its lifetime duration could guide this choice [9]. References [34] and [35] particularly discuss these important issues. Figure 5 (b) illustrates the dispersion of PSHA predictions for various confidence levels reflecting epistemic and aleatory uncertainties propagation. Finally it is essential remaining that the Uniform Hazard Spectrum is not the final step of a PSHA. In order to check the results and inherent hypothesis, the disaggregation is necessary especially to identify the main contributing seismic sources for target safety level, allowing to propose time histories representative of the hazard (see Klüegel, 2009 [36]).
Figure 5 : (a) Process of determining design ground motions from the output of a PSHA performed within a logic-tree framework, in terms of selecting the target return period and the appropriate hazard curve. ([35]). (b) Associated illustration of (a) from Pegasos project (from Sabetta web document).
284 NEA/CSNI/R(2014)9
Steps of the PSHA Comment Deterministic approach (DSHA) The standard reference (e.g. RG PSHA Specific – no reference in France RFS 2001-01 for NPP’s SHA 1.208 …) for NNP safety Seismicity modeling : Cornell PSHA Specific Fault scenario approach, smoothing and/or faults model The catalog of seismicity used: Specificity of PSHA: all seismicity used Catalog needed in deterministic construction, declustering and to compute SHA approach (defining zonation, homogenization characterizing seismic activity and potential of sources) Selection of seismotectonic Specificity of PSHA: constrain on source Zonation also needed zoning, zone size to assess GR The calculation of the parameters PSHA Specific GR not used to compute the hazard of the GR method, period of GR to establish and uncertainties on & (selection of ‘reference events’ in the completion, retained range of catalogue) magnitudes,
Strong Motion Predictive Specificity of PSHA: the integration of Decide the confidence level of ground Equations: selection criteria, n the computation of SHA motion prediction using GMPE’s. equations list, choose the depth modeled treatment distances ( In the RFS 2001-01 Joyner & Boore distance, distance mean prediction) to rupture, etc.), the conversion of magnitudes, the value of epsilon , The choice of min and max PSHA Specific Hazard computed for selected scenario(s) magnitudes to compute SHA
The maximum distance of PSHA Specific Hazard computed for selected scenario(s) integration
The frequencies selected to build PSHA Specific : Uniform Hazard DSHA produces response spectra. the UHS, Spectrum results from the whole seismic Each spectrum associated to an EQ catalog contributing with respect to the scenario (mag, distance) GR distribution
>> UHS is not representative of the seismic motion of an earthquake. On a UHS each PSA as equiprobabilty to occur. The percentile used to calculate PSHA Specific : percentiles reflect the Level of hazard scenario driven by the the hazard curves. effect of uncertainties propagation in the of used to predict the motion. PSHA. The return period (or exceedance PSHA Specific : related to the safety No return period neither probability probability) of SHA level targeted, ie political & economical value for DSHA. decision. Should be related to the project (type of plant, associated issues and risk, lifetime duration …) – possibility of graduation ([9]) Disaggregation of the UHS PSHA Specific : crucial step to identify, N/A for a specific motion value and frequency (Tr being fixed) the event scenario(s) that contribute in terms of (Magnitude, distance, ) . Necessary step to propose time series for structural analyses. Sensitivity study PSHA Specific : Necessary to check the Interesting if epistemic uncertainties influence of hypothesis and uncertainties accounted (logic tree) on SHA. Check/Validation of results PSHA Specific : check results with N/A existing data Table 5: Steps of current practice PSHA and comments regarding the specificities or common features with scenario based approach.
285 NEA/CSNI/R(2014)9
3 Conclusions
This presentation gives the current practice of seismic risk management in France for nuclear safety. The regulation is composed by two coherent and complementary references the RFS 2001-01 and the Guide ASN/2/01. We point out the key steps of the seismic hazard assessment following the RFS 2001-01 methodology which is scenario based. We particularly highlight the sensitivity and the influences of seismic parameters choices in their uncertainty domains and their impact on the final hazard. The Tohoku 2011 megaquake and the Fukushima associated accident resulted in the Complementary Safety Studies in the Nuclear field. The review of the French complementary studies by the ENSREG made the recommendation to complete the scenario based approach by a probabilistic hazard assessment. The presentation then exhibits the specificities and common aspects of a PSHA and DSHA. We underline that these two approaches are strictly founded on common databases and knowledge level: The epistemic uncertainties can be accounted by both PSHA and DSHA through logic trees (see [37] for DSHA). However they clearly differ by two points: ./ the PSHA accounts for the whole seismic catalogue with its occurrence rate, where the DSHA selects specific scenarios with consideration of occurrence level, ./ the aleatory variability is differently treated (i) scenario approach requires a policy decision on å (the number of ó’s away from the median) (ii) probabilistic approach integrates over å in the hazard integral. Finally, performing probabilistic seismic hazard assessment requires defining crucial parameters (i) the safety level target which corresponds a return period value of the hazard curve and (ii) its confidence level. In France, such PSHA studies just begin in the framework of the CSS for nuclear plants.
References [1] RFS 2001-01, http://www.asn.fr/index.php/Divers/Autres-RFS/RFS-2001-01. [2] Guide ASN/2/01, Consideration of seismic risk for the design of civil engineering buildings of nuclear plants excepted long duration radiaoctive wastes disposal, http://www.asn.fr/index.php/Divers/Autres-RFS/Guide- ASN-Guide-2-01-ex-RFS-V.2.g. [3] C. Berge-Thierry , E. Cushing, O. Scotti and F. Bonilla, Determination of the seismic input in France for the nuclear power plants safety: regulatory context, hypothesis and uncertainties treatment, OECD Tsukuba, 2004 http://www.oecd-nea.org/nsd/workshops/SEIS2004/Papers/Papers/FR_Berge_s1.pdf. [4] Baumont D., J. Ruiz, C. Berge-Thierry, and M. Cushing, On the simulations of broadband strong ground motions for moderate earthquakes along the durance fault, France, OECD Tsukuba, 2004, http://www.oecd- nea.org/nsd/workshops/SEIS2004/Papers/Papers/FR_baumont_s1.pdf. [5] Cushing E., Baize S., Berge-Thierry C., Baumont D. et Scotti O. (2003). Impact des incertitudes des données de base sur l'estimation de l'aléa sismique par une approche déterministe. 6ème Colloque National AFPS, Vol.1, pp41-48, 2003. [6] Institut de Radioprotection et de Sûreté Nucléaire Web site, http://www.irsn.fr/FR/base_de_connaissances/Installations_nucleaires/La_surete_Nucleaire/risque_sismique_ins tallations_nucleaires/Pages/8- Evaluation_de_l_alea_sismiqueReglementation_applicable_aux_sites_nucleaires_francais.aspx [7] Baize S., Cushing M.E., Jomard H., and C. David, Contribution of geology to NPP safety SHA (France), GNGTS – 30e Convegno – 14-17/11/2011 – Trieste, http://www2.ogs.trieste.it/gngts/gngts/convegniprecedenti/2011/presentazioni/2.1/1000- Baize_GNGTS_2011.pdf. [8] Berge-Thierry C., D. Griot-Pommera, F. Cotton et Y. Fukushima, New empirical response spectral attenuation laws for moderate European earthquakes. Jour. of Earth. Eng., Vol. 7, No 2, pp 193-222, 2003. [9] International Atomic Energy Agency, Specific Safety Guide, N° SSG-9, Seismic hazards in Site evaluation for nuclear installations, 2010. [10] Autran A., Blès J.L., Dominique P., Terrier M., Combes P., Durouchoux C., Cushing, Gariel J.C., Mohamadioun B. and X. Goula (1998). Probabilistic seismic hazard assessment in France. In: Working group EPAS – AFPS. Part One: Seismotectonic zonation, 11th European Conference on earthquake Engineering, Paris. [11] Terrier M., Blès J.L., Godefroy P., Dominique P., Bour M. et C. Martin (2000), Zonation of metropolitan France for the Apllication of earthquake-resistant building regulations to critical facilities, part 1: Seismotectonic zonation. Journal of Seismology, 4, 215-230. [12] SISFRANCE database http://www.sisfrance.net/
286 NEA/CSNI/R(2014)9
[13] Levret A., Backe J. and M.E. Cushing, (1994), Atlas of macroseismic maps for French earthquakes with their principal characteristics, Natural Hazards, 10, 19-46. [14] Scotti O., D. Baumont, G. Quenet, and A. Levret, 2004. The French macroseismic database SISFRANCE 2001. Annals of Geophysics, Vol. 47, N. 2/3, April/June. [15] Baumont D. & O. Scotti (2007) Calibration en Ms et Mw d’une relation d’atténuation en intensité pour l’estimation des caractéristiques des séismes historiques en France métropolitaine, 7ème Collque de l'Association françiase du Génie Parasismique, Ecole Centrale paris, 2007. [16] Baumont and Scotti, 2011 The French Parametric Earthquake Catalogue (FPEC) based on the best events of the Sisfrance macroseismic database - Version 1.1 - IRSN/DEI/2011-012. [17] Geoter 2002: Ch. Martin, P. Combes, R. Secanell, G. Lignon, A. Fioravanti, D. Carbon, O. Monge, B. Grellet, Révision du zonage sismique de la France, étude probabiliste, Rapport GTR/MATE/0701 – 150 Affaire n° 1601, 15/07/2002 [18] NEOPAL database http://www.neopal.net/ [19] Chaljub E., C. Cornou and P.Y. Bard, Numerical benchmark of 3d ground motion simulation in the valley of Grenoble, french alps, Third International Symposium on the Effects of Surface Geology on Seismic Motion Grenoble, France, 30 August - 1 September 2006. [20] Chaljub E., S. Tsuno, P.Y. Bard and C. Cornou, Analyse des résultats d’un benchmark numérique de prédiction du mouvement sismique dans la vallée de Grenoble, Colloque AFPS 2007, Ecole Centrale Paris, http://www.obs.ujf-grenoble.fr/risknat/projets/sismovalp/CD3/a-Papers/14-Chaljub%20et%20al- aAFPS%202007.pdf [21] EN 1998-1 : 2004 – Eurocode 8 – Calcul des structures pour leur résistance aux séismes – Partie 1: Règles générales, actions sismiques et règles pour les bâtiments – Octobre 2004. [22] Arrêté du 24 janvier 2011 fixant les règles parasismiques applicables à certaines installations classées. [23] Tohoku March 11th 2011 earthquake, wikipedia information page, http://en.wikipedia.org/wiki/2011_T%C5%8Dhoku_earthquake_and_tsunami [24] International Atomic Energy Agency, IAEA Expert Team Concludes Mission to Onagawa NPP, http://www.iaea.org/newscenter/pressreleases/2012/prn201220.html, 2012. [25] French Safety Authority specifications for the Complementary Safety Studies, http://www.oecd- nea.org/nsd/fukushima/documents/France_2011_09_15Preliminaryreport_110916ECSRapportANGLAIS_0.pdf [26]http://www.ensreg.eu/sites/default/files/post%20stress%20tests%20National%20Action%20plan%20ASN% 20France.pdf, Stress tests French Safety Autority Action plan 2012. [27] Bottard S., Gestion du risque sismique : développement d'une méthodologie probabiliste pour l'évaluation de l'aléa sismique en France. Application aux données de sismicité historique et instrumentale, thèse de doctorat, Paris 9, 1995. [28] EPAS, Bour M., P. Dominique, J.-L. Blès, P. Godefroy, C. Martin et M. Terrier, Zonation of Metropolitan France for the application of earthquake-resistant building regulations to critical facilities. Part 2 : seismic zonation, Journal of Seismology, 4, 231-245, 2000. [29] AFPS 2006, Rapport du GT, www.afps-seisme.org/index.php/fre/.../Rapport-zonage-mars-2007.pdf [30] Marin S., J.P. Avouac, M. Nicolas, A. Schlupp, A probabilistic approach to seismic hazard in metropolitan France, Bull. Seism. Society of America, 2004. [31] Clément C., O. Scotti, L.F. Bonilla, S. Baize, C. Beauval, Zoning versus faulting models in PSHA for moderate seismicity regions: preliminary results for the Tricastin nuclear site, France, Boll. Geof. Teo. App., Vol. 45, N°3, PP 187-204, 2004. [32] SSHAC (Senior Seismic Hazard Analysis Committee). Recommendations for Probabilistic Seismic Hazard Analysis: Guidance on Uncertainty and Use of Experts, US Nuclear Regulatory Commission report CR-6372. [33] Cornell, C.A. (1968). Engineering seismic risk analysis, Bull. Seism. Soc. Am., 58, 1583-1606. [34] Abrahamson N. A. and J. Bommer, Probability and Uncertainty in Seismic Hazard Analysis, Earthquake Spectra, Volume 21, No. 2, pages 603–607, 2005. [35] Bommer et Scherbaum, The Use and Misuse of Logic Trees in Probabilistic Seismic Hazard Analysis, Earthquake Spectra, Volume 24, No. 4, pages 997–1009, 2008. [36] Klüegel J.U., Probabilistic seismic hazard analysis for nuclear power plants – current practice from a european perspective, Nuclear Engineering and Technology, vol.41 no.10 december 2009. [37] Secanell R., Ch. Martin, X. Goula, T. Susagna , M. Tapia, D. Bertil, P. Dominique, D. Carbon and J. Fleta, Evaluation probabiliste de l’aléa sismique, dans la région transfrontalière pyrénéenne, 7ème Colloque National AFPS 2007 – Ecole Centrale Paris, 2007.
287 NEA/CSNI/R(2014)9
288 NEA/CSNI/R(2014)9
LEVEL-1 SEISMIC PROBABILISTIC RISK ASSESSMENT FOR A PWR PLANT
Authors; Keisuke Kondo*, Akihiro Ichitsuka**, Masahide Nishio*, Haruo Fujimoto* *Japan Nuclear Energy Safety Organization (JNES) ** Japan Systems Corporation
Abstract
In Japan, revised Seismic Design Guidelines for the domestic light water reactors was published on September 19, 2006. These new guidelines have introduced the purpose to confirm that residual risk resulting from earthquake that exceeds the design limit seismic ground motion (Ss) is sufficiently small, based on the probabilistic risk assessment (PRA) method, in addition to conventional deterministic design base methodology. In response to this situation, JNES had been working to improve seismic PRA (SPRA) models for individual domestic light water reactors. In case of PWR in Japan, total of 24 plants were grouped into 11 categories to develop individual SPRA model. The new regulatory rules against the Fukushima dai-ichi nuclear power plants’ severe accidents occurred on March 11, 2011, are going to be enforced in July 2013 and utilities are necessary to implement additional safety measures to avoid and mitigate severe accident occurrence due to external events such as earthquake and tsunami, by referring to the results of severe accident study including SPRA.
In this paper a SPRA model development for a domestic 3-loop PWR plant as part of the above-mentioned 11 categories is described. We paid special attention to how to categorize initiating events that are specific to seismic phenomena and how to confirm the effect of the simultaneous failure probability calculation model for the multiple components on the result of core damage frequency evaluation.
Simultaneous failure probability for multiple components has been evaluated by power multiplier method. Then tentative level-1 seismic probabilistic risk assessment (SPRA) has been performed by the developed SPSA model with seismic hazard and fragility data. The base case was evaluated under the condition with calculated fragility data and conventional power multiplier. The difference in CDF between the case of conventional power multiplier and that of power multiplier=1 (complete dependence) was estimated to be quite small as only 3 percent. However, according to the sensitivity study, it turned out that the effect of power multiplier increases as much as 20 percent if the effect of higher ECCS piping fragility is not considered.
In the future, more realistic evaluation of correlated simultaneous failure probability would be preferred to perform, however, we confirmed in this study, that effect of this failure probability is up to 20percent.
Key words; PRA, SPRA, CDF, initiating event, power multiplier, HPI, LPI, CSI, SSC
1. Introduction
In Japan, revised Seismic Design Guidelines for the domestic light water reactors was published on September 19, 2006. This new guideline has introduced the purpose to confirm that residual risk resulting from earthquake that exceeds the design limit seismic ground motion is sufficiently low level, based on the probabilistic risk assessment (PRA) method, in addition to conventional deterministic design base methodology. In response to this situation, JNES has been working to improve seismic PRA (SPRA) models for individual domestic light water reactors since before the Fukushima dai-ichi nuclear power plants’ severe accidents in March 11, 2011. In case of PWR in Japan, total of 24 plants were grouped into
289 NEA/CSNI/R(2014)9
11 categories to develop individual SPRA model. Following the Fukushima accident, the new regulatory rules are going to be enforced in July 2013 and utilities are necessary to implement additional safety measures including back-fits to existing plants to avoid and mitigate severe accident occurrence due to external events such as earthquake and tsunami, by referring to the results of severe accident study including SPRA, as prerequisite for plant restart.
In this paper a SPRA model development for a domestic 3-loop PWR plant as part of the above-mentioned 11 categories is described. We paid special attention to how to categorize initiating events that are specific to seismic phenomena and how to confirm the effect of the simultaneous failure calculation probability model for the multiple components on the result of core damage frequency evaluation.
In the following sections, outline of the categorizing of initiating events, development of event tree (ET), fault tree (FT) models including correlated simultaneous failure calculation model using power multiplier and results of quantification and sensitivity study for simultaneous failure calculation model are described.
2. Seismic PRA model development
Target plant for SPRA is a 3-loop PWR plant whose major design features are shown in Table-1. Remarkable design features of this plant are as follows.
Function of charging and safety injection are made mutually independent so that separate pumps for each function, i.e. three charging pumps and two high pressure injection (HPI) pumps, are installed.
Recirculation operation of high pressure injection (HPI) system is made independent of boosting by residual heat removal (RHR) system pumps and coolers, while residual heat removal function is available for HPI solely recirculation operation mode by the coolers of the containment spray (CS) system.
Table-1 Major design features of the target plant
Major design item unti Notes Thermal output 2660 MWt Electrical output 890 MWe Redundancy of safety system 2 trains Charging pump 3 pumps Separated from HPI function HPI pump 2 pumps 1/train HPI recirculation 2 trains Separated from RHR boosting RHR pump 2 pumps 1/train RHR cooler 2 coolers 1/train LPI recirculation 2 trains Manual switchover Containment spray pump 2 pumps 1/train Containment spray coolers 2 coolers 1/train EDG 2 units 1/train 2pumps motor-driven Auxiliary feedwater pump 1 pump turbine-driven CCW pump 4 pumps 2/train CCW cooler 4 coolers 2/train Sea water pump 4 pumps 2/train
290 NEA/CSNI/R(2014)9
2.1 Modeling of initiating events
2.1.1 Initiating event categorization
Seismic initiating events can be categorized into two groups, one of which is so catastrophic to directly lead to core damage and the other is relatively mild to be able to expect the function of various accident mitigation systems. In the SPRA model for subject PWR plant, the initiating events consist of the former category are
Containment building (CB) failure,
Auxiliary building (AB) failure, and
Reactor vessel (RV) failure.
And consist of the latter category are
Interface system LOCA (ISLOCA),
Large break LOCA (L-LOCA),
Intermediate break LOCA (I-LOCA),
Small break LOCA (S-LOCA),
Secondary system break LOCA (SB-LOCA),
Loss of components cooling water system (L-CCW)
Loss of offsite power (LOOP), and
Other transients.
These are defined referring to the internal events PRA. Special considerations in the context of SPRA are described below.
2.1.2 Special considerations for SPRA
(1) CB failure
In this initiating event, two events are included, one is the failure of CB itself that contains pressure boundary of the primary cooling system, and the other is total failure of all Steam Generators (SGs) that result in total failure of both primary coolant piping and penetrations of steam line through CB wall thus leading to simultaneous occurrence of core damage and breach of containment isolation function. Considering the severity, this initiating event is assumed to directly go to core damage.
(2) AB failure
AB contains main control room (MCR) and accident mitigation systems such as ECCS and its supporting systems so that this initiating event is also assumed to directly go to core damage.
291 NEA/CSNI/R(2014)9
(3) RV failure
RV failure itself and extended LOCA (E-LOCA) that exceeds the cooling capacity of ECCS are categorized in this initiating event category. E-LOCA involves multiple failures of primary coolant piping and heavy components such as SGs and reactor Coolant Pumps (RCPs), except for total failure of SGs included in CB failure.
(4) L-LOCA
L-LOCA includes failure of single primary coolant system piping whose diameter equals or more than 6 inches, single SG, single RCP or pressurizer.
(5) L-CCW
L-CCW is assumed to be triggered by single failure of one of the two safety-class main headers (A, B) and one non safety-class main header (C).
(6) Other transients
In SPSA, non-safety class power conversion system (PCS) such as feedwater and condensing system, etc. is assumed to be lost unconditionally. If no initiating event occurs by seismic failure of systems, structures and components (SSCs), other transients are assumed to occur as the remainder of the sum of the probabilities of all the seismically induced events to 1.0 calculated by the hierarchical event tree shown in the next section.
2.1.3 Calculation of initiating event probability
Occurrence probability for each initiating event is calculated using so called “hierarchical event tree(1)(2) ” shown in Figure-1.
Occurrence probability is calculated such that sum of probability of each initiating event gets equal to 1.0 at each seismic motion level.
Figure-1 Hierarchical tree of initiating events
292 NEA/CSNI/R(2014)9
2.2 Modeling of event tree and fault tree
Event trees (ETs) and fault trees (FTs) are developed referring to those of internal events PRA, and in the FT analysis, we considered correlated simultaneous failure of multiple components of the same design within the same system and on the same floor by the power multiplier method(1)(2). In the following subsection, at first, special considerations on ET and FT model development are described, followed by the outline of the power multiplier method.
2.2.1 ET model development
ETs for those initiating events, which do not lead directly to core damage and contained in the latter category in subsection 2.1.1 above, have been developed. Special considerations associated to ET model development are as follows.
In the initiating event of CCWS failure, isolation of affected main header (header A or B) is essential to recover CCWS function and avoid the accident progression through RCP seal LOCA etc. For this recover operation, short term and long term recovery are included in the ET headings, considering automatic isolation function of affected main header which is unique to this plant.
In the event of LOOP, recovery of the failed emergency diesel generators (EDG) due to earthquake is not modeled considering the difficulty of the local recovery actions by crew under the influence of the earthquake. Thus, once this event happen, and both diesel generators are failed due to earthquake or other reason, it is assumed to lead directly to core damage
In the event of ATWS after LOOP, insertion of control rods by gravity after unlatch of holding device of CRDM due to loss of normal power is modeled irrespective of the soundness of the safety protection system, if the deformation of reactor core is within permissible range for control rods insertion.
2.2.2 FT model development
FTs for major safety systems including both front line systems and supporting systems were developed. Special considerations for FT development are as follows.
1) Seismic failure of various boards for such as emergency electric power supply, signal processing and transmission, operator action in MCR or local, etc. are modeled.
2) Total loss of injection water source due to failure of any segment of the ECCS piping of the HPI, LPI and CSI outside containment structure was modeled as the cause for total loss of injection function from three systems.
3) Total loss of CCW cooling water source of both trains due to failure of any one of the cooler bodies of CCWS, RHR and CS system coolers was assumed resulting in loss of cooling function of CCWS.
4) Operator actions, such as feed and bleed and so on are modeled just as internal PRA.
5) Correlated simultaneous failure of components is modeled based on the power multiplier model as described in the next subsection.
293 NEA/CSNI/R(2014)9
2.2.3 Calculation of simultaneous failure of components
Correlated seismic simultaneous failure was considered between such components as boards, heavy components like SGs, RCPs and valves of the same design, within the same system and on the same floor.
Simultaneous failure probability of multiple components are calculated by the following equation (1),
P P )()( n )( ··················································································· (1) ,,2,1 N 0
・・・ Where, ��,�,・・・,�: simultaneous failure probability of multiple components 1,2, ,N �� : geometrical average of failure probabilities of N components is given by equation (2) below, /1 N N P0 Pk )()( ································································· (2) k 1
n :power multiplier representing the effect of correlation, n=1 at complete dependence, n=N at complete independence between multiple components
α :seismic ground motion level (gal)
Thus power multiplier (n) is derived by the following equation (3)
P )(ln n )( ,2,1 N ····················································································· (3) P0 )(ln
Failure probability of single component k can be calculated by the following equation,
/)(ln MM P )( rk ck ······················································· (4) k 2 2 22 rr ru )()( crk cuk where,
Pk )( :average (point estimate) failure probability of component k
[] :standard log normal cumulative distribution function
M rk )( :median response of component k
Mck : median capacity of component k
rr )( :log-normal standard deviation of aleatory uncertainty of response of component k
ru )( :log-normal standard deviation of epistemic uncertainty of response of component k
294 NEA/CSNI/R(2014)9
crk : log-normal standard deviation of aleatory uncertainty of capacity of component k
cuk :log-normal standard deviation of epistemic uncertainty of capacity of component k
Simultaneous failure probability ��,�,・・・,� is calculated by introducing the factor, Q, which represents confidence level, as equation (5), where common response and capacity distributions for all the components 1,2,・・・N, namely complete dependence, are assumed.
N 2 2 1 1 lnrk /)( MM ck rr ru Q][)()( P ,,2,1 N )( dQ ···················· (5) 0 22 k1 crk cuk Equation (5) is transformed to the following equation to calculate numerically.
L1 N 2 2 1 1 lnrk /)( MM ck rr ru Li ]/[)()( P ,,2,1 N )( ················· (6) 22 L i1 k1 crk cuk
Equation (6) is numerically calculated by rectangular integral calculus, where L is the total number of segmenting over integration interval, and i is the segment number over the integration interval.
An example of calculated power multiplier is shown in Figure-2 for the case of redundancy of 3.
While power multiplier varies depending on the mean failure probability of single component, the higher the failure probability of single component, the higher the power multiplier results. Results for redundancy of 2, 3 and 4 are summarized in Table-2. Newly calculated power multiplier fell below the conventional one’s that are general input in our SPRA which are set based on the engineering judgment. In the following section we consider the effect of this difference.
Figure-2 Example of calculated power multiplier Table-2 Result of power multiplier calculation
Redundancy 2 3 4 n: old*1 1.5 2.0 2.3 1.1~ 1.2~ 1.4~ n: new*2 1.3 2.0 1.6 *1 Conventional values used in SPRA *2 Newly calculated values
3. Results of SPSA
SPSA was performed for the following cases.
1) Power multipliers for simultaneous multiple components failure is set to the values of n: old in Table-2.
295 NEA/CSNI/R(2014)9
2) Power multipliers for simultaneous multiple components failure is set to 1, assuming complete dependency.
Figure-3 shows the result of CDF calculation for two cases. It turned out that the difference of calculated CDF between two cases is as much as only three percent. Reason for this small difference is described below and in the next section.
Figure-4 shows the contribution of initiating events to the calculated total CDF for case 1) i.e. with power multiplier not equal to 1. It can be seen from Figure-4 that contribution from M-LOCA is the most dominant showing about 64% of the total CDF, followed by S-LOCA, 25% and L-LOCA, 9%. These three LOCA events account for about 98% of the total CDF.
Figure-3 Example of calculated power multiplier Figure-4 Contribution of initiating events
Major accident sequences for case 1) and F-V importance are shown in Table-3 and Table-4, respectively. It can be seen from Table-3 that most of the dominant accident sequences involve loss of ECCS injection i.e. HPI, LPI and CSI.
These results are related with calculated higher fragility of ECCS piping and the assumption 2) in FT development, described in 2.2.2 above. According to Table-4, LPI piping shows extremely high F-V importance.
Table-3 Dominant accident sequences
Contri- Cumul- No. Initiating event Accident sequences bution ative 1 M-LOCA Loss of HPI + Loss of LPI + Loss of CSI 52% 52% 2 S- L OCA Loss of HPI + Loss of LPI + Loss of CSI 23% 75% 3 M-LOCA Loss of HPI + Loss of 2'ry cooling + Loss of CSI 11% 86% 4 L-LOCA Loss of LPI + Loss of CSI 7% 93% 5 L-LOCA Loss of ACC + Loss of CSI 2% 95%
296 NEA/CSNI/R(2014)9
Table-4 Dominant component categories of F-V importance
No. Components category F-V importance
1 LPI piping6.7E-01 2 Prz PORVpiping 2.1E-01 3 Prz spray piping1.6E-01 4 CS piping 1.0E-01 5 Power center 5.4E-02
4. Discussion
As shown in the Table-2 power multiplier for correlated simultaneous failure probability of components by equation (1) went below the conventional input values. As shown in Figure-2, the difference in CDF is quite small between conventional n-values and n=1 (complete dependency), thus for the case of target plant of SPRA, the effect of change of n-values seems to be almost negligible, this is because CDF is dominated by the failure of piping of ECCS whose failure probabilities are calculated significantly higher, especially for the case of LPI.
In order to examine this effect, we performed sensitivity analysis by enhancing the seismic capacity of the ECCS piping (i.e. HPI, LPI and CSI) by ten-fold to hypothetically remove the effect of piping failure and then re-evaluating the case 1) and case 2) of section 3 above. Results are shown in Figure-5. As shown in this figure, after enhancing capacity of ECCS piping, CDF for both case 1) and case 2) has reduced to about one-fifth, shown as 1)†and 2)†in the figure, respectively, however, the ratio of CDF has increased from 1.03 to 1.20. This indicates that importance of power multiplier increases after removing the effect of fragility of piping to which power multipliers are not applied.
Figure-5 Sensitivity study by removing piping fragility of ECCS
1.40
1.20 1)
1.00 case
to
0.80
CDF
0.60 0.40
Relative 0.20 0.00
Seismic motion level (gal)
5. Conclusions
SPSA model for a domestic PWR plant has been established and tentative quantification was successfully performed, and power multiplier to evaluate correlated simultaneous failure probabilities for multiple components are calculated. In the base case where calculated fragility data and conventional power multiplier was applied, the difference in CDF between the case of conventional power multiplier (case 1))
297 NEA/CSNI/R(2014)9
and that of power multiplier=1 (case 2)) was calculated to be quite small as only 3 percent. However, because power multipliers were calculated lower than the conventional values, we performed a sensitivity study to see if this reduction of multipliers becomes important, for the case fragility of ECCS piping, to which power multipliers are not applied in the current SPSA model, is small enough. It turned out that the effect of power multiplier increases up to 20 percent if the effect of ECCS piping fragility is removed.
In the future, more realistic evaluation of correlated simultaneous failure probability would be preferred to perform, however we confirmed in this study, that effect of this failure probability is up to 20 percent.
6. References
(1) “Implementation Standard Concerning the Seismic-Induced Probabilistic Risk Assessment on Nuclear Power Plant: 2007,” AESJ-SC-P0006:2007.
(2) “Procedures for the External Event Core Damage Frequency Analyses for NUREG- 1150,”NUREG/CR-4840, SAND88-3102, Sandia National Laboratories, November, 1990.
298 NEA/CSNI/R(2014)9
OECD/NEA Committee on the Safety of Nuclear Installations (CSNI) International Workshop on PSA of Natural External Hazards including Earthquakes Prague, Czech Republic, June 17-19th 2013
SEISMIC PRA OF A BWR PLANT
Masahide Nishio Japan Nuclear Energy Safety Organization (JNES) Tokyo, Japan Haruo Fujimoto Japan Nuclear Energy Safety Organization (JNES) Tokyo, Japan
ABSTRACT
Since the occurrence of nuclear power plant accidents in the Fukushima Daichi nuclear power station, the regulatory framework on severe accident (SA) has been discussed in Japan. The basic concept is to typify and identify the accident sequences leading to core/primary containment vessel (PCV) damage and to implement SA measures covering internal and external events extensively. As Japan is an earthquake-prone country and earthquakes and tsunami are important natural external events for nuclear safety of nuclear power plants, JNES performed the seismic probabilistic risk assessment (PRA) on a typical nuclear power plant and evaluated the dominant accident sequences leading to core/PCV damage to discuss dominant scenarios of severe accident (SA). The analytical models and the results of level-1 seismic PRA on a 1,100MWe BWR-5 plant are shown here.
NOMENCLATURE
AC Alternate Current
CDF Core Damage Frequency DC Direct Current DG Diesel Generator 2 Gal 1m/s
HPCS High Pressure Core Spray System ISLOCA Interface System LOCA LOSP Loss of Offsite Power
LPCI Low Pressure Coolant Injection System LPCS Low Pressure Core Spray System
299 NEA/CSNI/R(2014)9
PCS Power Conversion System PCV Primary Containment Vessel RCIC Reactor Core Isolation Cooling System RCW Reactor Component Cooling Water System RHR Residual Heat Removal System RPV Reactor Pressure Vessel SRV Safety Relief Valve
1. INTRODUCTION
Level-1 seismic PRA was performed for a typical BWR5 plant. The analytical flow is shown in Figure 1. The seismic acceleration range for analysis is 300 -2000gal on the bedrock surface. The lowest acceleration is near the one where reactor scram is initiated to occur in response to the signal of high ground motion. The analysis code used is the one developed mainly by JNES.
Information of Plant System IE Selection
Component IE Occurrence Making PSA Model Response/Capacity Probability
Accident Sequence Analysis
Component Damage probability Seismic Core Damage Frequency Hazard Curve
Sensitivity Analysis/Importance Analysis
Figure 1. Flow of Seismic PRA
2. ANALYTICAL CONDITION
2.1 SYSTEM CONFIGURATION
The system configuration of a typical BWR5 plant is shown in Figure 2. The typical BWR5 plant system is in principle composed of two safety divisions and has two high pressure injection systems (HPCS, RCIC), two low pressure injection systems (LPCS and LPCI) and two residual heat removal systems (RHR). RCIC is the steam-driven system with DC control and all other systems are motor- driven systems. When loss of offsite power occurs, the power of HPCS is supplied by an exclusive HPCS-DG, and the power of LPCS/LPCI (RHR) is supplied by emergency DG-A or B.
300 NEA/CSNI/R(2014)9
Plant System BWR5
HPCS
Core Injection RCIC System LPCS LPCI-B LPCI-A LPCI-C
Heat Removal RHR-A RHR-B System
HPCS-DG Emergency Power Supply DG-A DG-B
Safety 2 Division
Figure 2. BWR5 Plant System
2.2 SEISMIC HAZARD CURVE
The seismic hazard curve used for analysis is shown in Figure 3. The hazard curve is the annual exceedance probability (1/y). Exceedance Frequency is obtained by ground motion propagation analysis based on historical earthquake data and active fault data.
Figure 3. Seismic Hazard Curve
2.3 ANALYSIS PARAMETER
Component seismic responses are calculated from the floor response analysis of the buildings. Dozens of component capacity are evaluated based on equipment shaking test or structure analysis.
301 NEA/CSNI/R(2014)9
Component seismic responses and component capacities are composed of medium values with standard deviations βr of randomness and standard deviations βu of uncertainty of knowledge. Examples of fragility curve calculated by using component seismic responses and capacities are shown in Figure 4. Component random failure probability and human error probability are set to be the same as internal event PRA though human error probability would be higher than in internal event PRA. Recovery of damaged components with loss of function is not considered in the analysis conservatively because it would be difficult to make repairs under earthquake conditions.
Figure 4. Component Fragility Curve
2.4 INITIATING EVENT
Initiating events for analysis were selected based on possible events under earthquake conditions from initiating events used in internal event PRA. Furthermore, events unique to earthquake were selected which are damages of building or structure, and excessive LOCA with simultaneous damages of multiple piping in PCV. Initiating events selected for seismic PRA are shown below.
- Building damage
- PCV damage
- RPV damage
- Excessive LOCA
- Interface system LOCA
- Large LOCA
- Medium LOCA
- Small LOCA
- Loss of offsite power
- Transient
302 NEA/CSNI/R(2014)9
The occurrence probabilities of initiating events are calculated using the hierarchy tree model because some initiating events occur simultaneously. The hierarchy tree is the method where initiating events are listed in the order of the extent of severity which influences core damage. The occurrence probability of each initiating event is calculated successively using the hierarchy tree model on the condition that any initiating event is supposed to occur surely in earthquake. In this method, initiating events which occur simultaneously are included in more severe initiating event in the upper rank. The occurrence probabilities of initiating events are calculated by multiplying unoccurrence probability of more severe initiating events in the upper rank by the independent occurrence probability of its corresponding initiating event. The assumed ranking of initiating events for analysis of a BWR plant is shown in Figure 5. The severity order is assumed considering available mitigation systems in earthquake.
Figure 5. Hierarchy tree model
2.5 ANALYSIS MODEL
The main analysis conditions assumed for accident sequence analysis are as follows.
- Success criteria for the seismic PRA are set up referring to internal event PRA. Low seismic class mitigation systems such as non-safety systems and accident management systems are not considered to be functional in earthquake. - Damages of building or structure and excessive LOCA which are unique to earthquake lead directly to core damage as they are not mitigated by plant existing systems. These assumptions are considered to have some conservativeness and need to be carefully studied in the future. - Static components such as piping, piping support, tank are included in the analysis models though they have low random failure probabilities and are not considered in internal event PRA models .
303 NEA/CSNI/R(2014)9
- In case of heat exchangers having boundaries with other systems, there is dependence between systems because the damage of heat exchangers could lead to influence the function of other systems. This dependence is included in the analysis model. - As the occurrence probability of loss of offsite power (LOSP) is high in earthquake, LOCA and LOSP are considered to occur simultaneously. Scenarios of LOSP are developed in LOCA event trees. - Recovery of offsite power or emergency DG is not considered because it is accompanied by difficult work in earthquake which was shown in Fukushima Daiichi NPP severe accidents in 2011. - Human error probability of operator actions is assumed to be set to the same value as in internal event PRA though it may be higher under earthquake circumstances. - Multiple components of same type could be damaged simultaneously when they receive the same seismic waves. Correlation between simultaneously damaged components is influenced by their natural frequencies and installation locations. As the method of evaluating the correlation, the power of single component fragility probability is used for simultaneous damage probability of multiple components. The correlation is applied to components in the redundant system.
3. ANALYSIS RESULTS
3.1 IE OCCURRENCE PROBABILITY
Initiating event occurrence probabilities after process of the hierarchy tree model are shown in Figure 6. Transient events mostly induced by non-safety component damages and Loss of offsite power are dominant initiating events in the low seismic acceleration range. On the other hand, LOCA becomes the dominant initiating event in the high seismic acceleration range.
Figure 6. Initiating event occurrence probability (after process of hierarchy tree model)
304 NEA/CSNI/R(2014)9
3.2 CDF PER SEISMIC ACCELERATION
Conditional core damage probability (CCDP) is the one assuming that an earthquake occurs with probability of 1.0 at individual seismic acceleration. Core damage frequency (CDF) per seismic acceleration which is obtained by multiplying CCDP by earthquake occurrence frequency per seismic acceleration is shown as function of seismic acceleration in Figure 7. Contribution of large LOCA and Loss of offsite power to CDF per seismic acceleration is increasing gradually beyond around 800gal. CDF per seismic acceleration has a mountain shape with a peak of about 1500gal. The mountain shape of CDF per seismic acceleration is made up by multiplying increscent conditional CCDP by decrescent earthquake occurrence frequency per seismic acceleration.
Figure 7. CDF per seismic acceleration
3.3 CORE DAMAGE FREQUENCY
The total core damage frequency is obtained by integrating core damage frequency per seismic acceleration in the previous section over all seismic acceleration ranges. The contribution of initiating events to the total core damage frequency is shown in the pie chart of Figure 8. The initiating event with largest contribution is LOSP followed by large LOCA. Large LOCA includes simultaneous occurrence of LOSP. The damages of building or structure and the excessive LOCA leading to direct core damage account for several percentages of CDF respectively.
305 NEA/CSNI/R(2014)9
Figure 8. IE contribution to CDF
3.4 DOMINANT ACCIDENT SEQUENCES
Dominant accident sequences are shown in Table 1. The top of dominant sequences is simultaneous occurrence of large LOCA and loss of all AC powers (station blackout). The second and third highest accident sequences are overlapping of failure of steam driven reactor core cooling system RCIC after station blackout. The fourth and fifth highest accident sequences are failures of residual heat removal system RHR after success of core cooling by HPCS after failure of emergency DGs. These accident sequences are all through success paths of reactor shutdown. More than 70% of core damage frequency is occupied by top five accident sequences.
Table 1. Dominant accident sequences
Rank IE Scenario %
1 Large LOCA LOSP, Loss of DG-A/B/HPCS 21
2 LOSP Loss of DG-A/B/HPCS, Failure of 1SRV re-closure, Failure of RCIC 16
3 LOSP Loss of DG-A/B/HPCS, Failure of RCIC 16
4 Loss of DG-A/B, Failure of 1SRV re-closure, Success of core cooling LOSP 15 by HPCS, Failure of residual heat removal by RHR
5 Loss of DG-A/B, Success of core cooling by HPCS, Failure of residual LOSP 5 heat removal by RHR
3.5 IMPORTANCE ANALYSIS
Importance analysis was performed and Fussel-Vesely importance of each component was obtained. Dominant components with high Fussel-Vesely importance are shown in Figure 9. Offsite
306 NEA/CSNI/R(2014)9
power equipment, emergency DG and reactor component cooling water pump RCW have high F-V importance. Capacities of these components are necessary to be enhanced to reduce CDF.
Figure 9. FV Importance Results
4. SENSITIVITY ANALYSIS
It was shown that emergency DGs are the high F-V important components to core damage frequency. Sensitivity analysis was performed to obtain the information how CDF will be reduced if the capacity of emergency DGs is enhanced. The capacity of emergency DGs is at present under reexamination based on the vibration test data. In reference to reexamination the capacity of emergency DGs is assumed to be set to twice as high compared to that of the base case analysis. The results were obtained that core damage frequency is reduced by approximate one third of the base case. FV Importance of emergency DGs became low.
5. CONCLUSION
Seismic PRA was performed for a typical BWR5 plant. Initiating events with large contribution to core damage frequency are the loss of all AC powers (station blackout) and the large LOCA. The top of dominant accident sequences is the simultaneous occurrence of station blackout and large LOCA. Important components to core damage frequency are electric power supply equipment. It needs to keep in mind that the results are influenced on site geologic characteristic to a greater or lesser. In the process of analysis, issues such as conservative assumptions related to damages of building or structure and success criteria for excessive LOCA are left to be resolved. These issues will be further studied including thermal hydric analysis in the future.
307 NEA/CSNI/R(2014)9
308 NEA/CSNI/R(2014)9
Optimization of safety and seismic classification during the design stage of non-reactor nuclear facilities
Maxi Mummert, Nils Haneklaus, Dr. Anke Traichel
Department of Safety Engineering and Assessment NUKEM Technologies GmbH Industriestraße 13 D-63755 Alzenau Germany
ABSTRACT
Safety and seismic classifications are part of the seismic design concept of a nuclear facility. Due to the framework of international agreements, seismic design concepts are mandatory for licensing of nuclear facilities. Nevertheless, most countries do not have methods and guidance for safety and seismic classifications of non-reactor nuclear facilities that are prescribed by the regulatory body. In Germany and Russia the seismic design of a nuclear facility is derived from possible seismic hazards and a seismic classification of its structures, systems and components (SSC). During the seismic classification SSC are categorized in terms of their importance to safety in the event of a design basis earthquake. Therefore, the seismic classification is highly dependent on the safety classification of the facility. Currently the safety and seismic classifications of the components are typically based on a time-consuming case by case assessment.
An approach for systematic safety and seismic classifications of non-reactor nuclear facilities derived from the Russian safety and seismic classifications of nuclear power plants is presented. The systematic approach provides a user-friendly tool to optimize safety and seismic classifications of components in non-reactor nuclear facilities. Using a single transparent tool for safety and seismic classifications leads to more reasonable classifications as it allows comparisons between classifications of components in different facilities. A higher level in safety or seismic classification leads to higher efforts when manufacturing a component. The presented tool provides information concerning the safety and seismic classification in an early design stage of the facility. This enables the user to make changes in the seismic design of the facility that allow a possibly lower level of safety and seismic classification at this stage. The systematic approach is tested at a waste treatment/conditioning facility. It is intended to provide footing for future planned user-friendly software. The software is to design in a way that users not familiar with the national norms concerning safety and seismic classification are able to use it successfully. Hence, experience and expert knowledge in safety and seismic classification is easily accessible. Furthermore, the systematic
309 NEA/CSNI/R(2014)9
approach is being used to discuss the application of seismic probabilistic risk analysis for non-reactor nuclear facilities.
1. INTRODUCTION AND MOTIVATION
Nuclear facilities are designed to withstand seismic events in order to protect humans and the environment from radioactive fission products. During the seismic design process of a nuclear facility all safety related structures, systems and components (SSC) are evaluated independently from each another. The assessment is fundamental for the seismic design of SSCs which have been attributed different safety margins. A comparison of the safety margins of SSCs against seismic events is currently provided after construction of the facility in the course of the seismic probabilistic risk analysis.
In the present work, a method for conducting a probabilistic analysis has been developed from non- reactor nuclear facilities (seismic safety evaluation). The approach compares the safety margins of SSCs already in the design stage of the nuclear facility. The seismic factor of safety of individual SSCs is assessed in order to weigh their seismic safety margins. The seismic factor of safety is an integral part of the seismic probabilistic risk analysis. It quantifies the seismic safety margin of SSCs by calculating the ratio of the design basis earth-quake (estimated seismic activity affecting the SSC) and the failure earthquake (calculated seismic activity which causes a failure of the SSC).
For the development of a generalised approach for the evaluation of the safety level of the facility components against seismic impacts, the following issues are further considered:
• Simplification of the seismic probabilistic safety analyses, so that it can be applied during the planning stage. • Adaption of the simplified seismic probabilistic safety analyses, so that it can be applied to non reactor nuclear facilites • Verification of the simplified seismic probabilistic safety analyses with respect to national legislation. • Consideration of the cost-effectiveness of the simplified seismic probabilistic safety analyses.
The safety level of the non reactor nuclear facility should be increased already in the planning stage with the developed approach. Objectiveness as well as a raising efficiency in safety classification and seismic classification can be achived.
310 NEA/CSNI/R(2014)9
2. CONSIDERATION OF SEISMIC IMPACTS
In general the considerations of seismic impacts during construction of nuclear power plants can be divided into three stages (figure 1-2). In Stage 1 the seismic impacts are considered for the design of the facility in the planning stage. After the construction of the facility, the deterministic safety status analysis, the safety analysis as well as a probabilistic safety analysis are executed in stage 2. To increase the safety level against seismic events, a seismic probabilistic safety analysis can be executed in stage 3.
Pre construction phase
Consideration of seismic impacts Stage 1
Post construction phase
Deterministic Safety Status Analysis, Safety Stage 2 Analysis, Probabilistic Safety Analysis
Seismic Probabilistic Safety Analysis Stage 3
Figure 1: Safety analysis for consideration of seismic impacts on nuclear facilities
The consideration of seismic impacts on non reactor nuclear facilities is based on the regulations for nuclear power plants (see figure 1) [2]. A Seismic Probabilistic Safety Analysis is just not provided for non reactor nuclear facilities and and has not yet been carried out according to the current state of science and technology [3].
311 NEA/CSNI/R(2014)9
2. Seismic Safety Evaluation
2.1 Introduction to the Seismic Safety Evaluation for non reactor nuclear facilities
Aim of the innovative concept of the Seismic Safety Evaluation (SSE) is to determine the safety margin of safety factors and / or economically relevant parts of a system during the planning of the facility.
Design
Design against seismic events necessary rectifications, reductions
Seismic safety assessment
Construction
Construction of the plant Necessary rectifications
Analyse
Safety analysis
Necessary probabilistic seismic analyse
Figure 2: Structure of seismic safety assessment
The SSE permits the early identification of weak points and the early localization of overly conservative designed components. Since this process is already taking place in the design phase of the facility, improvements are relatively inexpensive. As a result, the weak points can be resolved by a modified design, an alternative that would be possible only with considerable effort after the construction of the plant. Another alternative is the downgrading of too conservatively laid out plant components. In comparison, a downgrading of too conservatively laid out components after the construction of the plant is not only practically impossible (the reduction of the wall thickness), but would be very expensive. In summary it can be stated that the SSE can be regarded as a voluntary supplement to the existing safety analyses.
312 NEA/CSNI/R(2014)9
3.2. APPLICATION OF THE SEISMIC SAFETY EVALUATION FOR NON-REACTOR NUCLEAR FACILITIES
The seismic safety evaluation is based on the safety margin factors method. Due to this reason there are also three stages scheduled (Figure 3).
Stage 1 Generation of input data
Stage 2 Determination of the safety margin factors
Stage 3 Evaluation of the balance of the safety margin factors
Figure 3: Approach for the execution of the seismic safety evaluation
For a better delineation of the seismic safety evaluation from the safety reserve factor method, the three stages to implement the seismic safety evaluation will be explained in more detail.
Stage 1: Generation of input data
Stage 1 of the seismic safety evaluation includes the determination of the safety relevant facility components by means of the safety and seismic classification as well as the resulting determination of the design bases earthquake and the beyond design bases earthquake.
Stage 2: Determination of the safety margin factors
The main benefit of the seismic safety evaluation is the determination of the safety margin factors. Those factors quantify the actual safety level against seismic impacts [1]. It is recommended to quantify the safety margin factors for all relevant facility components. The safety margin factor for a facility component consists of the relation between the beyond design bases earthquake for the corresponding component and the design bases earthquake for the corresponding component [1].
Stage 3: Evaluation oft he balance oft he safety margin factors
The safety margin factors of the facility components are compared in the final stage of the seismic safety evaluation. Three different areas can be distinguished.
313 NEA/CSNI/R(2014)9
Safety margin factor
Range of conservative safety margins Upper boundary
Range of necessary safety margins
Lower boundary
Range of low safety margins (Weak points) FC1 FC2 FC3 Facility Component (FC)
Figure 4: Evaluation of the balance of facility components with the seismic safety evaluation based on individual safety margin factors
Based on comparison of the safety margin factors, facility components with conservative safety margins (Figure 4, range of conservative safety margins) and facility components with low safety margins (Figure 4, range of low safety margins) can be identified. As a result of the seismic safety evaluation, facility components that have disproportionately high safety margins factors (Fig. 4, FC2) could be designed less conservative without violating the relevant safety regulations. Facility components in the range of low safety margins (Fig. 4, FC3) must be designed with a higher safety level to meet the legal requirements. In both cases, subsequent changes during the construction phase can be effectively avoided.
314 NEA/CSNI/R(2014)9
4. SUMMARY
Compared to the existing procedure, the innovative concept of the seismic safety evaluation applies available data (Safety margin factors) from the design of the facility, which is already available during planning stage of the facility. This concept prevents expensive remediations of the facility after the construction and displays possibilities of safety margin reductions at the right time. The seismic safety evaluation is particularly suitable for nuclear facilities with a low level of safety relevant facility components (non reactor nuclear facilities and facilities without nuclear fuel). Those facilities are often classified very conservatively by nuclear related legislation. By applying the seismic safety evaluation the too conservative safety margin factors can be displayed and fortified with concrete values, so that design changes can be applied to reach reasonable safety margin factors.
5. Sources
[1] RS-Handbuch 3-74.1, Bekanntmachung der Leitfäden zur Durchführung von Periodischen Sicherheitsüberprüfungen (PSÜ) für Kernkraftwerke in der Bundesrepublik Deutschland
[2] Kerntechnischer Ausschuss, KTA 2201, Auslegung von Kernkraftwerken gegen seismische Einwirkungen, Fassung 2011-11
[3] Bundesamt für Strahlenschutz, Facharbeitskreis Probabilistische Sicherheitsanalyse für Kernkraftwerke, BfS-SCHR-37/05, Methoden zur probabilistischen Sicherheitsanalyse für Kernkraftwerke, Stand: August 2005
315 NEA/CSNI/R(2014)9
316 NEA/CSNI/R(2014)9
317 NEA/CSNI/R(2014)9
318 NEA/CSNI/R(2014)9
319 NEA/CSNI/R(2014)9
320 NEA/CSNI/R(2014)9
321 NEA/CSNI/R(2014)9
322 NEA/CSNI/R(2014)9
323 NEA/CSNI/R(2014)9
324 NEA/CSNI/R(2014)9
SESSION 6
USE OF EXTERNAL EVENTS PSA WITH THE FOCUS ON REGULATORY BODY ROLE
Chair: Ulla Vuorio M. Krauss ACTUAL REGULATORY DEVELOPMENTS CONCERNING THE IMPLEMENTATION OF PROBABILISTIC SAFETY ANALYZES FOR EXTERNAL HAZARDS IN GERMANY
S. Sancaktar, F. Ferrante, N. Siu, K. Coyne INCORPORATION OF ALL HAZARD CATEGORIES INTO U.S. NRC PRA MODELS
M. Xu, Smain Yalaoui PSA APPROACH FOR THE EVALUATION OF EXTERNAL HAZARDS AS PART OF CNSC FUKUSHIMA ACTION ITEMS
K. Kondo STRATEGIE TOWARDS ENTERPRISING DEVELOPMENT AND APPLICATION OF EXTERNAL EVENTS PRA STANDARDS IN JAPAN
J. Sandberg and U. Vuorio THE ROLE OF EXTERNAL EVENTS PSA IN THE FINNISH REGULATORY APPROACH
325 NEA/CSNI/R(2014)9
326 NEA/CSNI/R(2014)9
Current regulatory developments concerning the implementation of probabilistic safety analyses for external hazards in Germany.
Matias Krauß, Heinz-Peter Berg, Bundesamt für Strahlenschutz, Salzgitter, Germany
INTRODUCTION
The Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (BMU) initiated in September 2003 a comprehensive program for the revision of the national nuclear safety regulations which has been successfully completed in November 2012 [5]. These nuclear regulations take into account the current recommendations of the International Atomic Energy Agency (IAEA) and Western European Nuclear Regulators Association (WENRA). In this context, the recommendations and guidelines of the Nuclear Safety Standards Commission (KTA) and the technical documents elaborated by the respective expert group on Probabilistic Safety Analysis for Nuclear Power Plants (FAK PSA) are being updated or in the final process of completion. A main topic of the revision was the issue external hazards.
As part of this process and in the light of the accident at Fukushima and the findings of the related actions resulting in safety reviews of nuclear power plants at national level in Germany [20] and on European level [19], a revision of all relevant standards and documents has been made, especially the recommendations of KTA and FAK PSA. In that context, not only design issues with respect to events such as earthquakes and floods have been discussed, but also methodological issues regarding the implementation of improved probabilistic safety analyses on this topic.
As a result of the revision of the KTA 2201 series [18] “Design of Nuclear Power Plants against Seismic Events” with their parts 1 to 6, part 1 “Principles” was published as the first standard in November 2011, followed by the revised versions of KTA 2201.2 (soil) and 2201.4 (systems and components) in 2012. The modified the standard KTA 2201.3 (structures) is expected to be issued before the end of 2013. In case of part 5 (seismic instrumentation) and part 6 (post>seismic actions) draft amendments are expected in 2013.
The expert group “Probabilistic Safety Assessments for Nuclear Power Plants” (FAK PSA) is an advisory body of the Federal Ministry for Environment, Nature Conservation and Nuclear Safety (BMU). This expert group, led by the Federal Office for Radiation Protection (BfS), has the task to advise the BMU on all methodological issues for the implementation of probabilistic safety analyses and has elaborated two publications on methods and data for PSA with the aim to support a unified application of the PSA in Germany.
REGULATORY BASIS IN GERMANY
The German safety concept for nuclear power plants gives priority to the deterministic approach, i.e. deterministic analysis and good engineering judgement, are primary tools of design evaluation. Probabilistic safety assessment is seen as a supplementary tool to the deterministic approach which provides quantitative information on the occurrence of incidents and thus can be used to check deterministic design assumptions, to evaluate desired plant and system modifications, to optimize corrective measures and to identify existing safety margins, e.g. in the frame of comprehensive (periodic) safety reviews [1]. The hierarchy of the German PSR documents is shown in Fig. 1 below.
As a result of the IRRS mission to Germany in 2008 suggesting to develop a uniform Federal policy document [2] and the planned life time extension of nuclear power plants in 2010, the need for a more stringent approach to risk>informed decision making within the German regulatory framework has been identified. Therefore, the Gesellschaft für Anlagen>und Reaktorsicherheit (GRS) has been contracted by the Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (BMU) to develop a proposal for an integrated risk>informed decision making approach for German nuclear power plants. First results of this project are provided in [3] and in more detail in [4]. However,
327 NEA/CSNI/R(2014)9
risk>informed decision making is in general still not practice in Germany and is currently not intended to set in force in the near future.
Fig. 1: Hierarchy of the German PSR documents
In the past, the safety concept of nuclear power plants, the regulatory framework laid down in ordinances, guidelines, recommendations of the Reactor Safety Commission (RSK) and nuclear safety standards (KTA Standards) as well as licensing decisions by the competent authorities and their experts in the Federal Republic of Germany were mainly based on a set of deterministic principles, such as
• safety features to prevent or control abnormal operation conditions and incidents, • passive barriers against radioactivity releases in case of an incident, • redundancy and diversity of safety systems to ensure high reliability.
Safety requirements including acceptance criteria and safety targets are usually defined by the regulatory body. Safety decision making during design, construction and licensing has essentially been based on the verification of compliance with pre>described technical requirements as laid down, e.g., in the German nuclear safety standards. Boundary conditions for the safety analysis, safety margins with regard to the prevention and control of incidents as well as specific, partially very detailed, requirements concerning safety functions are deterministically postulated.
Due to the permanent regulatory oversight of specified normal operation (levels 1 and 2 of the defence in depth concept), it is entirely sufficient to assess the results for these two levels in the frame of a comprehensive periodic safety review (PSR) in a simplified way. By assessing operating experience, including safety>relevant areas of operating management, the aim is to show to what extent the respective requirements for these levels are satisfied and how the technical installations and measures have proven to ensure safety during operation so far. Investigations concerning incidents constitute the central point of the PSR, i. e. focusing on whether the enveloping incidents can be controlled by available precautionary measures with sufficient effectiveness and reliability.
It is the overall requirement in the frame of PSR in Germany to perform a probabilistic safety assessment as a supplement to the deterministic safety analysis to get insights which are not revealed by the deterministic approach. The main objectives are to check the overall safety level of the plant and analyze if the engineered safety features designed to cope with safety relevant incidents are well balanced. The last item does preponderantly contain an evaluation of single contributions (event
328 NEA/CSNI/R(2014)9
sequences) from initiating events which should not dominate the overall quantitative safety results and is looked upon as the prior objective. The evaluation has to be performed taking into consideration quantitative as well as qualitative results of the analysis. Interpretation of the results shall include adequate uncertainty, sensitivity and importance analysis. Deterministic and probabilistic approaches are now jointly being used in evaluating and improving nuclear safety.
For the PSR performed up to now, no probabilistic quantitative safety goals are determined although different proposals were made in the past [6]. On the other hand, the competent authorities and their supporting expert organizations have to assess the results of the probabilistic safety assessments submitted by the licensees and have to decide if the quantitative results of the probabilistic safety assessments, provided in the frame of (periodic) safety reviews, are adequate [8].
The measures to be taken and directives to be given by the responsible supervisory authority in the scope of the overall evaluation of the results have to be established according to the principle of commensurability [9]. Significant modifications of technical systems and components in German nuclear installations are generally assessed by application of the detailed prescriptive German nuclear safety standards. In case of deviations, e.g. from the original material used and/or its thickness in case of pipe work, it is possible to proof that the design of the new equipment is equivalent to the design of the old equipment and that the existing safety margins are not reduced. This means in practice that in case of significant modifications it has to be shown in Germany that all deterministic boundary conditions are still fulfilled.
Nevertheless, licensees in Germany have submitted in the past – together with their approval for a significant modification – probabilistic considerations in addition to the deterministic assessment as supporting arguments.
Recently, a revision of the national nuclear safety regulations has been successfully completed and these regulations entitled “Safety Requirements for Nuclear Power Plants” [5] require with respect to probabilistic safety assessments:
• For the safety demonstration that the technical safety requirements are met, deterministic as well as probabilistic safety analyses have to be considered. • Probabilistic safety analyses (PSA) shall supplement deterministic safety analyses for demonstrating the balance of the safety related plant design. • Furthermore, probabilistic safety analyses (PSA) shall supplement deterministic safety assessments for demonstrating the safety significance: >of changes in plant structures, systems and components (SSC), measures or procedures as well as >of insights from safety significant incidents or phenomena being applicable to German NPPs, if a significant impact on PSA results is expected. • The mean value of CDF and LERF covering all plant internal events, internal and external hazards and emergency cases must not increase due to planned modifications in plant SSC, measures or procedures.
This means that the new German safety requirements contain an implicit definition of quantitative safety criteria: Mean CDF and LERF of a full scope PSA Level 1 and 2, respectively, must not increase due to a planned plant modification. However, no absolute value is given by which the current risk status of the plant can be judged to be acceptable [21]. The values for CDF have been calculated in the frame of the comprehensive safety reviews and the results of the latest safety review for the respective nuclear power plant (NPP) are the basis for the comparison in case of modifications.
329 NEA/CSNI/R(2014)9
DESIGN AND ASSESSMENT OF EXTERNAL HAZARDS FOR NUCLEAR POWER PLANTS IN GERMANY
Methods to analyze existing plants systematically regarding the adequacy of their existing protection equipment against hazards can be deterministic as well as probabilistic. Typical investigations for German nuclear power plants are provided in [10], [11] and [12].
Seismic design and flood protection according to KTA
In Germany, nuclear power plants are designed against earthquakes according to the nuclear safety standard series KTA 2201. This standard series consists of six parts and is currently under revision. A site specific deterministic seismic hazard assessment is required for NPP sites in Germany according to [18]. In the new version of this standard the application of probabilistic methods for the hazard assessment is explicitly required. Further parts of KTA 2201 addressing seismic instrumentation and post>seismic actions are under nearly finalized.
The design basis earthquake is the earthquake of maximum intensity at a specific site which, according to scientific knowledge, may occur at the site or within a larger radius of the site (up to approx. 200 km from the site). In the probabilistic determination of the design earthquake, the exceedance probability in the range of 10>4 to 10>5 per year is to be based. The fractile value of the design spectrum may be assumed to be 50% if the exceedance probability of the design earthquake at 10>5 per year is shown, the fractile is assumed at 84%, if an exceedance probability of 10>4 per year is assumed. For the design earthquake are in the assessment of seismic intensity, location, indicate the strong>motion duration and site>specific response spectra. Here also the local and regional geological and tectonic conditions are taken into account. Also in geological areas with low seismicity, the design earthquake for nuclear power plants has to be assumed so that even in those cases the effects of seismic intensity VI according to EMS>scale have to be calculated. Combinations of loads resulting from earthquakes and earthquake>induced incidents and consequential incidents shall be taken into consideration. More details on the seismic design of nuclear power plants are provided in [13].
According to KTA 2207 [14], it is necessary to determine statistically the storm>tide water level with an exceeding frequency of 10>2 per year plus a site>specific addend. In conclusion, a storm>tide must be covered with an exceeding frequency of 10>4 per year. In the context of the analysis, design>basis flood is that particular flood event which is the basis for the flood protection of the respective plant, specifically with regard to meeting the safety objectives. The permanent flood protection is that flood protection which is effective at all times (e.g. protection by flood>safe enclosure, by structural seals). The loads due to the design>basis flood must be combined with other loads such as an operational loads, earth thrust, and wind load, static water pressure due to the design water level, streaming water, waves, upswing, flotsam, and ice pressure. More details are provided in [12].
Probabilistic safety assessment of natural external hazards
The latest revision of the German guideline on Probabilistic Safety Analyses (PSA) in the framework of safety reviews of nuclear power plants requires PSA for natural external hazards like seismic or flood events supported by the corresponding technical document on PSA methods [7].
Seismic events
The PSA procedure for seismic events consists of three major steps:
1. seismic hazard analysis, 2. determination of failure probabilities of structures, systems and components (SSC), 3. development of seismically induced event trees with subsequent calculation of core damage frequencies.
330 NEA/CSNI/R(2014)9
The seismic PSA is an essential part of the safety review of nuclear power plants worldwide, because at locations with a non>negligible seismic hazard, earthquakes can contribute significantly to the overall core damage frequency. Therefore, the latest revision of the German PSA technical documents [7] stipulates a complete seismic resistance analysis for those plants, whose seismic hazard assessment exhibits an earthquake intensity greater than VII (according to the EMS>scale). For nuclear power plants with a lower seismic hazard simplified analyses are acceptable (see Table 1).
Table 1: Progressive verification records for an “earthquake” event in accordance with the value of the current adequately determined intensity of the design basis earthquake at the location of the facilities.
Intensity I Progressive record verification Comment
I ≤ 6 No analysis necessary According to KTA 2201.3
6 < I ≤ 7 An initial facility inspection must be carried out. If this results in indications of insufficient margins for the deduction of earthquake stresses, they must be assessed on the basis of these verifications. More inspections or measures for improving safety may be necessary.
>7 Earthquake safety analysis in accordance with the safety reserve factor procedure.
In general, all seismically induced initiating events which might occur in a nuclear power plant have to be considered in a seismic PSA. But unlike internal initiating events, the seismic induced initiating events and the seismic failure behavior of the safety systems depend on the actual intensity of the earthquake. Thus, a set (discrete or continuous) of several earthquake intensities has to be considered (cf. [7] and [16]).
Flood events
The German regulatory framework requires a determination of a sufficient water level as design>basis and appropriate structural protection measures against this hazard in the design of the plants to avoid radiological consequences for the environment.
The adequacy of the protection measures have been shown in the past only on a deterministic basis. The probabilistic safety assessment guideline as well as the corresponding technical documents prescribes also probabilistic analyses of external hazards including flooding.
PSA regulations consider extreme events of recurrence intervals of 10,000 years. Beside the frequently occurring extreme storm surges, also other events have to be considered. One example is the possible impact of a tsunami type of event simulating the propagation and development of extreme waves in the North Sea towards the German Bight, initiated by a hypothetical slide at the continental margin off the Norwegian coast. This scenario has been analyzed as a consequence of the tsunami in December 2004 in Indonesia [17].
A graded approach for the extent of a probabilistic safety assessment in case of external flooding containing deterministic and probabilistic elements has been developed and is described in [16]. This approach takes into account site>specific aspects like the nuclear power plant grounded level compared with surroundings level and plant>specific aspects such as design with permanent protection measures and prescribed shut down of the plant according to the instructions of the operation manual at a specified water level which is significantly below the level of the design flooding. The graded approach for external flooding can be summarized as given in Table 2.
331 NEA/CSNI/R(2014)9
Table 2. The graded safety assessment approach regarding external flooding
Criterion Extent of analysis
Flooding of plant site can be practicable excluded No analysis necessary due to the NPP grounded level compared with surroundings level
1. The plant is designed against the design> Determination of possible water paths in basis flood with an exceedance probability relevant structures and estimation of the of 10>4 per year conditional probability for water impact in case of the design>basis flood 2. Design with permanent protection measures
3. Shut down of the plant according to the instructions of the operation manual at a specified water level which is significantly below the design>basis water level
4. Conditional probability for water impact in case of the design>basis flood less than 10>2 Other design Determination of the exceedance for the design> basis flood of the plant up to a value of > 10>4 per year, detailed event sequence considerations including the quantification of core damage frequency
CONCLUSIONS
With the publication „Safety requirements for nuclear power plants“ [5], a modern version of a German nuclear safety regulations has been published. In this regulation the broad experience of the application of the periodic safety reviews have been incorporated as a key element of regulatory supervision. Further key findings from the European safety review of nuclear power plants were taken into account after the accident at Fukushima. The revision also paid special attention to the requirements and recommendations of WENRA and IAEA.
In addition, the recommendations and guidelines of the Nuclear Safety Standards Commission (KTA) and the expert group on Probabilistic Safety Analysis (PSA FAK) have also been updated. The activities of the updates have been focused the natural external hazards “earthquake” and “flooding” in the German regulations [7] and [18]:
• Probabilistic assessment for retrofit measures in individual cases for all operating modes and the PSA level 1 and level 2 is possible. • Deterministic and probabilistic site hazard analysis for the events “earthquake” and “flood” are required. • For the event “earthquake” according to IAEA plants receives a minimum design comparable to 0.1g >concept. • Furthermore, a seismic instrumentation independent of the location of intensity is required for each installation. • The importance of quality assured plant walk downs to determine the specified plant conditions was explicitly emphasized and required measures to ensure.
332 NEA/CSNI/R(2014)9
• Furthermore, the existing methods for their applicability verified the associated generic data base for PSA updated. • The explicit consideration of all natural external hazards is required.
REFERENCES
[1] Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (Bundesministerium für Umwelt, Naturschutz und Reaktorsicherheit >BMU), Leitfaden zur Durchführung der Sicherheitsüberprüfung gemäß §19a des Atomgesetzes – Leitfaden probabilistische Sicherheitsanalyse – für Kernkraftwerke in der Bundesrepublik Deutschland, Bundesanzeiger Nr. 207a vom 03.11.2005 (in German) http://www.bfs.de/de/bfs/recht/rsh/volltext/3_BMU/3_74_3.pdf. [2] International Atomic Energy Agency (IAEA), Integrated Regulatory Review Service (IRRS) to Germany, Bonn and Stuttgart, Germany, 2008. [3] Einarsson, S., Proposal of a IRIDM approach for Germany, Technical Meeting on Integrated Risk Informed Decision Making, Vienna, Austria, March, 25–29, 2012. [4] Einarsson, S., Wielenberg, A., An integrated risk>informed decision making approach for Germany, Proceedings of PSAM11 & ESREL 2012 Conference, June 25 – 29, 2012, Helsinki, Finland. [5] Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (Bundesministerium für Umwelt, Naturschutz und Reaktorsicherheit >BMU), Safety requirements for nuclear power plants (Sicherheitsanforderungen an Kernkraftwerke), 22. November 2012, Federal Gazette, January 24, 2013 (in German). http://www.bfs.de/de/bfs/recht/rsh/volltext/3_BMU/3_1_BMU.pdf. [6] Berg, H.P., Görtz, R., Schimetschka, E., Quantitative probabilistic safety criteria for licensing and operation of nuclear plants, Comparison of the international status and development, BfS>Bericht BfS>SK>03/03, Bundesamt für Strahlenschutz, Salzgitter, November 2003. [7] Facharbeitskreis Probabilistische Sicherheitsanalyse für Kernkraftwerke, Methoden zur probabilistischen Sicherheitsanalyse für Kernkraftwerke, Stand: August 2005. BfS>SCHR>37/05, Bundesamt für Strahlenschutz, Salzgitter, October 2005 (in German). http://nbn> resolving.de/urn:nbn:de:0221>201011243824. [8] Berg, H.P., Krauß, M., Use of Safety Goals to Assess the Safety Level of Nuclear Power Plants, Technical Meeting on safety goals in application to nuclear installations, Vienna, Austria, April, 11 – 15, 2011. [9] Berg, H.P., Fröhmel, T., Wassilew>Reul, C., Deterministic and probabilistic safety assessment as complementary tools for comprehensive safety reviews, Proceedings of 17th International Conference on Structural Mechanics in Reactor Technology (SMiRT>17), Post>Conference>Seminar No. 15 – Optimizing Plant Safety and Operation Using a Blend of Probabilistic and Deterministic Methods >, TÜV>Akademie, München, August, 25. – 26, 2003. [10] Berg, H.>P., Hauschild, J., Probabilistic assessment of external pressure waves. Proceedings of the 8th International Probabilistic Workshop, November 2010, Akademia Morska, Szczecin 2010, p. 27–39. [11] Hauschild, J., Andernacht, M., Berg, H.>P., Case studies for evaluating conditional probabilities of external explosions, Kerntechnik 78 (2013) 2 [12] Berg, H.>P., Krauß, M., Risk assessment of extreme weather conditions for nuclear power plants at tidal rivers. Journal of KONBiN >Safety and Reliability Systems, Nr. 1 (2010), p. 41–52. [13] Krauß, M., Elsche, B., Roth, G., Design of nuclear power plants against seismic events in Germany – seismic instrumentation and post>seismic actions. Transactions SMiRT>22, San Francisco, California, USA – August 18>23, 2013. [14] Nuclear Safety Standards Commission (KTA), Flood Protection of Nuclear Power Plants (Schutz von Kernkraftwerken gegen Hochwasser). KTA 2207, Salzgitter, November 2004.
333 NEA/CSNI/R(2014)9
[15] Facharbeitskreis Probabilistische Sicherheitsanalyse für Kernkraftwerke (FAK PSA): Methods for PSA for NPPs (Methoden zur probabilistischen Sicherheitsanalyse für Kernkraftwerke). BfS> SCHR>37/05, Salzgitter, Oktober 2005. [16] Thuma, G., Türschmann, M., Krauß, M., Development of advanced methods for seismic probabilistic safety assessments. In: Furuta, Frangopol & Shinozuka (Eds): Proceedings of the International Conference on Safety, Reliability and Risk of Structures, Infrastructures and Engineering Systems, London, Taylor & Francis Group, (2010), p. 1641–1645. [17] Berg, H.>P., Winter, C., Analysis of external flooding and tsunamis for nuclear power plants at tidal rivers. Kerntechnik, Vol. 74, No 3 (2009), p. 132–139. [18] KTA 2201.1 (2011>11), Safety Standards of the Nuclear Safety Standards Commission (KTA), “Design of Nuclear Power Plants against Seismic Events; Part 1 Principles”, Part 2 Soil, Part 3 Structures, Part 4 Systems and Components, Part 5 Seismic Instrumentation, Part 6 Post>seismic actions”. [19] Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (Bundesministerium für Umwelt, Naturschutz und Reaktorsicherheit >BMU), EU Stresstest National Report of Germany, Implementation of the EU Stress Tests in Germany, December 2011. [20] Reactor Safety Commission (RSK), Summarising assessment and recommendations of the RSK STATEMENT “Plant>specific safety review (RSK>SÜ) of German nuclear power plants in the light of the events in Fukushima>1 (Japan).” http://www.rskonline.de/English/statements>> > recommendations/index.html. [21] Röwekamp, M., Berg, H.P., Current Activities to Enhance PSA and Update the Corresponding Nuclear Regulatory Framework in Germany, Proceedings of the International Topical Meeting on Probabilistic Safety Assessment and Analysis (PSA 2013), September 22 – 26, 2013, Columbia, South Carolina, USA.
334 NEA/CSNI/R(2014)9
INCORPORATION OF ALL HAZARD CATEGORIES INTO U.S. NRC PRA MODELS
Selim Sancaktar, Fernando Ferrante, Nathan Siu, Kevin Coyne U.S. Nuclear Regulatory Commission, Washington D.C. USA 20555-0001
Abstract
Over the last two decades, the U.S. Nuclear Regulatory Commission (NRC) has maintained independent probabilistic risk assessment (PRA) models to calculate nuclear power plant (NPP) core damage frequency (CDF) from internal events at power. These models are known as Standardized Plan Analysis Risk (SPAR) models. There are 79 such models representing 104 domestic nuclear plants; with some SPAR models representing more than one unit on the site. These models allow the NRC risk analysts to perform independent quantitative risk estimates of operational events and degraded plant conditions. It is well recognized that using only the internal events contribution to overall plant risk estimates provides a useful, but limited, assessment of the complete plant risk profile. Inclusion, of all hazard categories applicable to a plant in the plant PRA model would provide a more comprehensive assessment of a plant risk. However, implementation of a more comprehensive treatment of additional hazard categories (e.g., fire, flooding, high winds, seismic) presents a number of challenges, including technical considerations.
The U.S. NRC has been incorporating additional hazard categories into its set of nuclear power plant PRA models since 2004. Currently, 18 SPAR models include additional hazard categories such as internal flooding, internal fire, seismic, and wind events. In most cases, these external hazard models were derived from Generic Letter 88-20 Individual Plant Examination of External Events (IPEEE) reports. Recently, NRC started incorporating detailed Fire PRA (FPRA) information based on the current licensing effort that allows licensees to transition into a risk-informed fire protection framework, as well as additional external hazards developed by some licensees into enhanced SPAR models. These updated external hazards SPAR models are referred to as SPAR All-Hazard (SPAR-AHZ) models (i.e., they incorporate additional risk contributors beyond internal events). This paper discusses the technical approach used to develop new SPAR-AHZ models; key challenges encountered; and insights obtained from incorporation of event sequences from different hazard categories into the SPAR-AHZ models. Although this paper does not discuss plant specific details or results, it does highlight a number of issues associated with creating SPAR- AHZ models. While the challenges can be significant in term of technical issues and resources needed, the incorporation of more realistic external hazard modeling allows better characterization of the plant core damage frequency risk profile and integration of key risk drivers and sequences beyond internal events. It is expected that over time, sustained usage of the SPAR-AHZ models, combined with feedback from plant licensees, will continue to calibrate the modeling of different hazard categories, especially for those scenarios for which detailed, up-to-date information may be more difficult to obtain.
Introduction
One of the regular uses of PRA insights at the U.S. NRC is in the reactor oversight process (ROP), where the risk importance of a performance deficiency identified via oversight activities (e.g., inspections) or an operational event is estimated in order to determine an appropriate regulatory response. Using a PRA to evaluate a performance deficiency or a plant event provides a quantitative measure which can be combined with other qualitative risk insights to assign a level of importance within a risk-informed decision-making framework. Such evaluations are routinely done for the significance determination process (SDP) in the Office of Nuclear Reactor Regulation (NRR) (Reference 1) and accident sequence precursor (ASP) evaluation process in the Office of Nuclear Regulatory Research (RES) (Reference 2). To help with these
335 NEA/CSNI/R(2014)9
evaluations, the US NRC maintains a suite of independent PRA models (i.e., the SPAR models) that are representative of all commercial nuclear power plants (NPPs) operating in the USA. It should be noted that evaluations performed by the NRC using the SPAR models are generally intended to inform and prioritize regulatory follow up to operational issues and are not used to support licensing basis changes.
The SPAR models were initially designed to calculate plant core damage frequency (CDF) from internal events at power. Depending on the specific analysis being performed, other hazards hazard categories were also considered, as appropriate. However, the risk contribution from non-internal event hazards, if determined, was traditionally done using qualitative arguments or via simplified estimates. Over the last decade, there was an attempt to integrate actual PRA models for other hazards into the existing internal events at power models. The first set of such “integrated models” were based on information from Generic Letter 88-20 Individual Plant Examination of External Events (IPEEE) reports and were named SPAR-EE models (“EE” referring to external events, although these models included internal flooding and internal fires in addition to external events). While representing an improvement in the treatment of external hazards, user confidence in the first generation of “EE” models was limited by concerns with IPEEE information not providing an up-to-date representation of the as-built, as-operated plant. It was also generally recognized that these models were not validated to the same level of quality/detail as some of the internal event scenarios.
Recently, some U.S. NPPs have implemented fire PRA models (FPRA) compatible with National Fire Protection Association (NFPA) Standard 805 “Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants,“ (Reference 3), to comply with the NRC’s Alternate Fire Protection Rule [10 CFR 50.48(c)] which provides a risk-informed approach to fire protection. These models define thousands of fire sequences and allow calculation of plant CDF from internal fires during power operation, using methodology provided in Reference 4. Implementation of NFPA-805 compliant FPRA models provided a renewed interest in construction of SPAR external hazard models. Since 2010, the NRC has been creating new SPAR all hazard (SPAR-AHZ) models, containing fire scenarios from NFPA-805 compliant FPRAs in addition to enhanced external hazard treatment.
The ASME/ANS PRA Standard (Reference 4) already addresses other hazard categories that should be considered in PRA, in addition to the internal events at power. A SPAR-AHZ model is intended to include all major hazard categories (i.e., all hazard categories that are not screened out due to their low probability of occurrence) applicable to an NPP to provide a complete risk profile. These models provide a more complete treatment among different hazards in calculation of the risk measure of interest, plant CDF in this case.
In the remaining portion of this paper, key aspects of the external hazard models, including challenges and illustrative examples, are discussed. While this information is based on actual experience in developing the SPAR–AHZ models, the intention of this paper is to highlight significant model development insights rather than providing site-specific and/or generic results applicable to U.S. NPPs.
Models
The NRC currently maintains 79 SPAR models, representing 104 domestic NPPs, in order to calculate plant CDF from internal events at power. Eighteen of these models contain all hazard categories deemed to be applicable to the plant (including internal fire) and are labeled as SPAR-AHZ models. SPAR-AHZ models are prepared in accordance with a “Model Maker’s Guideline”, which is available to NRC staff and supporting contractors. This document is intended to provide consistency for model construction and documentation and is periodically updated on an as-needed basis. The Model Maker’s Guideline also provides guidance on some technical details for which standard guidance may not be readily available elsewhere.
336 NEA/CSNI/R(2014)9
In general, a SPAR-AHZ model includes at least internal events, internal flooding and fires, seismic events, and wind-related events (tornados, hurricanes, and high winds applicable to the site). Table 1 shows an example of a summary output table displaying plant CDF by different hazard categories for a U.S. NPP with a Light Water, Pressurized Water Reactor (PWR) design.
Table 1. Summary Output from a SPAR-AHZ Model
Number of IE CDF IEs Frequency (per RY) (per reactor- year (RY)
1 INTERNAL EVENTS 22 9.65E-01 6.3E-06 2 INTERNAL FLOODING EVENTS 5 1.3E-05 1.6E-06 3 INTERNAL FIRE EVENTS 56 5.7E-02 7.3E-05 4 SEISMIC EVENTS 5 4.6E-04 3.1E-06 5 EXTERNAL FLOODING EVENTS 6 HIGH WIND EVENTS 1 1.8E-02 4.9E-07 7 TORNADO EVENTS 3 1.1E-05 5.6E-08 8 OTHER EXTERNAL EVENTS
Total = 92 8.4E-05
The values in Table 1 are point estimates; although SPAR models are capable of providing uncertainty calculations, this capability is not routinely used by risk analysts.
This model contains 92 main event trees (one event tree for each specific initiating event) which are integrated into a single PRA model. The starting point of the model is the existing SPAR model which contains only the 22 event trees for internal events at power. As additional scenarios were added, existing data, event trees, fault trees, rules, and flag files are used as much as possible and are supplemented as needed. Although the number of event trees has been greatly expanded, the typical quantification times for the SPAR-AHZ models are comparable to the internal events models (on the order of minutes using a truncation level of 1E-11). Reasonable analysis run times are necessary to encourage wide use of the AHZ models, particularly when the model must be quantified multiple times within a short time frame to fully assess an operational event or condition.
Summary output from another SPAR-AHZ model is shown in Table 2. This illustrates an earlier example of a PWR where there are 51 scenarios; 20 from the internal events model. Note that seismic events are binned into 3 scenarios; where current practice within the NRC is shifting towards at least 5 seismic bins for sites situated in the East section of the U.S. (i.e., east of the Rocky Mountains). In either case, this allows breakdown of middle-range seismic events into a specific number of bins, where the failure probabilities of some support systems may be modeled in detail, corresponding to increasing ground motion intensity ranges.
337 NEA/CSNI/R(2014)9
Table 2. Summary Output from a SPAR-AHZ Model
Number of IE Frequency CDF IEs (per RY) (per RY) 1 INTERNAL EVENTS 20 2.9 2.6E-06 2 INTERNAL FLOODING EVENTS 11 2.5E-02 5.9E-06 3 INTERNAL FIRE EVENTS 15 7.9E-02 2.9E-06 4 SEISMIC EVENTS Bin-1 (0.05g ≤pga≤0.3g) 1 3.3E-04 6.0E-09 Bin-2 (0.3g< pga ≤0.5g) 1 1.6E-05 2.0E-06 Bin-3 (0.5g < pga) 1 9.6E-06 8.2E-06 5 EXTERNAL FLOODING EVENTS 6 TORNADO & HIGH WIND EVENTS 2 2.2E-06 3.5E-09 7 OTHER EXTERNAL EVENTS Total = 51 3.0 2.2E-05
For bin 3, containing the most severe ground motion intensity range, the conditional core damage probability (CCDP) is 0.85 due to the assumed fragility of major structures and support systems. For seismic bins with high peak ground accelerations (pga), close to a mean acceleration of 1g (where g represents the standard gravitational acceleration as a unit), it is generally observed that the CCDP approaches 1.0 for NPPs to the East of the Rocky Mountains since high intensity seismic events are not expected in this region and plant structure, systems and components may not have been designed to such extreme seismic events (as opposed to the Western U.S. regions).
A feasibility study performed in 2004 concluded that representing the seismic hazard curve with three bins (scenarios) provides sufficient risk insights for those plants at seismically robust regions and for those models using surrogate fragilities. Since then, the modeling guidelines were revised to recommend modeling of at least 5 seismic to better approximate the seismic hazard curve. However, the results do not appear to provide substantial insights or advantage over the original minimum recommendation of 3 seismic bins, although this may be dependent on the shape of the seismic hazard curve. There is no hard limit to the number of seismic bins to be modeled: for example, if the plant owner already has a seismic PRA with 7 bins, SPAR-AHZ model can also be made with 7 bins to allow easier comparison between the two model results.
Table 3 shows the summary results of a SPAR-AHZ. This model is for a PWR site in the Eastern United States, showing the bin definitions and frequencies for 5 seismic bins.
The NRC uses the SAPHIRE software (where SAPHIRE stands for Systems Analysis Programs for Hands- on Integrated Reliability Evaluations) to develop and quantify SPAR models (Reference 5). This software, by design, provides sequence, as well as cutset information. The model is constructed such that all hazard scenarios (represented in event trees) are treated in the same manner by the software; specifically the software does not distinguish between internal events vs. external events, or any other grouping of events. SAPHIRE has the capability to integrate the seismic hazard and fragilities to calculate plant CDF, without resorting to seismic bin modeling. However, it was decided to use the seismic bin modeling since it produces CDF cutsets that can be ranked and compared with other hazards category CDF cutsets, and it is also a more common approach used by many U.S. risk analysts.
338 NEA/CSNI/R(2014)9
The SPAR-AHZ project also maintains a compilation of seismic fragilities from different sources, to be used as surrogate fragilities in building a model, whenever plant specific seismic fragilities are not available (e.g., Reference 6). The applicability of so-called “generic” fragilities available in a number of public documents needs to be considered carefully before implementation to any specific plant (e.g., are they too robust for older plants built on low intensity earthquake zones). Surrogate fragilities taken from similar vintage and type plants may provide more prudent initial estimates until plant specific information becomes available. In either case, the implementation of such fragilities is used to provide risk-insights and sensitivity cases to NRC risk analysts, as opposed to fully justified site-specific fragility information, as may be required by licensing actions.
Table 3. A 5-bin Seismic Model: Bin Definition and Frequencies
Initiating Event Initiating Event Seismic Bin Description Frequency (per RY) Seismic event BIN-1 (0.05g - 0.21g) occurs 1 IE-EQK-BIN-1 9.5E-04 (Bin acceleration = 0.11g) Seismic event BIN-2 (0.21g - 0.47g) occurs 2 IE-EQK-BIN-2 4.0E-05 (Bin acceleration = 0.31g) Seismic event BIN-3 (0.47g - 0.72g) occurs 3 IE-EQK-BIN-3 3.6E-06 (Bin acceleration = 0.58g) Seismic event BIN-4 (0.72g - 0.93g) occurs 4 IE-EQK-BIN-4 6.4E-07 (Bin acceleration = 0.82g) Seismic event BIN-5 (>0.93g) occurs 5 IE-EQK-BIN-5 1.5E-07 (Bin acceleration = 1.1g) Total seismic event frequency (>0.05g) 9.9E-04
An example of a small set of CDF sequences as reported by the software is shown in Table 4. In the event tree naming convention, FRI refers to internal fires; FLI to internal flooding; EQK to seismic events, etc.
In the more recently developed SPAR-AHZ models, emphasis is given to modeling wind-related events (tornado, hurricane and high wind events) even when they do not appear to be significant contributors to plant risk. The rationale behind this is that events that do not contribute to average plant risk may still be of interest (and contributors to) plant condition importance analysis performed as part of an SDP or ASP analysis. Furthermore, recent events such as the Mississippi River basin flooding and Hurricane Sandy have highlighted the potential importance of wind and external flooding events as potential contributors to plant condition and event importance analyses. Thus, whenever possible, an attempt is made to include such scenarios in the SPAR-AHZ models. It should be noted that SPAR models for internal events at power contain loss-of-offsite-power (LOOP) initiating events which include a “weather-related” contribution (labeled LOOP-WR) with a less favorable power recovery model than other LOOP contributors (e.g., plant-centered LOOP initiators). For many sites, the LOOP-WR risk contribution may be dominated by wind events that rely on generic initiating event frequencies. When additional high wind events are modeled in the SPAR-AHZ models, double counting of weather-related LOOP events would occur, if the LOOP-WR contribution is not removed from the internal event model.
339 NEA/CSNI/R(2014)9
Table 4. An Example Set of CDF Sequences
Event Tree Sequence CDF Event Tree Node (/ denotes success) (per RY) FRI-FC41-HGL 2-16-03 1.2E-05 FIRE-FRAC, /RPS, EPS, /AFW-B, /PORV-B, /ASI, OPR-24H, DGR-24H FRI-FC02-MCBD11 2-16-03 4.8E-06 FIRE-FRAC, /RPS, EPS, /AFW-B, /PORV-B, /ASI, OPR-24H, DGR-24H FRI-FC35-S7016 2-16-45 3.3E-06 FIRE-PORV, /RPS, EPS, /AFW-B, PORV-B, OPR- 01H, DGR-01H FRI-FC02-MCBA11 2-02-02-11 3.2E-06 FIRE-FRAC, /RPS, /AFW, /PORV, LOSC, /RCPT, /RSD, /BP1, BP2, /FW, HPI, SSC1 FRI-FC02-MCBA12 2-02-02-11 2.9E-06 FIRE-FRAC, /RPS, /AFW, /PORV, LOSC, /RCPT, /RSD, /BP1, BP2, /FW, HPI, SSC1 FRI-FC35-S0724 2-16-45 2.2E-06 FIRE-PORV, /RPS, EPS, /AFW-B, PORV-B, OPR- 01H, DGR-01H FRI-FC54 2-16-48 1.6E-06 FIRE-FRAC, /RPS, EPS, AFW-B, OPR-01H, DGR-01H FRI-FC54 2-16-06-04 1.3E-06 FIRE-FRAC, /RPS, EPS, /AFW-B, /PORV-B, ASI, /RSD-B, /BP1, /BP2, OPR-04H, DGR-04H, /AFW- MAN, /CST-REFILL-LT1, SG-DEP-LT2, PWR-REC- 24H FRI-FC03-S1486 2-16-03 1.2E-06 FIRE-FRAC, /RPS, EPS, /AFW-B, /PORV-B, /ASI, OPR-24H, DGR-24H FRI-FC35-S0732 2-16-45 1.0E-06 FIRE-PORV, /RPS, EPS, /AFW-B, PORV-B, OPR- 01H, DGR-01H FRI-FC34-BTCHRG 2-05 9.1E-07 FIRE-PORV, /RPS, /AFW, PORV, /HPI, /SSC, RHR, HPR FRI-FC35-S7016 2-09 8.8E-07 FIRE-PORV, /RPS, /EPS, /AFW-L, PORV-L, /HPI-L, OPR-02H, HPR-L SLOCA 04 8.3E-07 /RPS, /FW, /HPI, /SSC, RHR, HPR, LPR ISL-RHR 3 8.2E-07 ISL-RPT-RHR, /ISL-DIAG, ISL-REC-RHR FLI-SWF-3 6 7.5E-07 SWS-ISOL-3 EQK-BIN-3 7 6.9E-07 STRC-CD-EQ3 EQK-BIN-4 7 6.9E-07 STRC-CD-EQ4 LOOPWR 16-03 6.7E-07 /RPS, EPS, /AFW-B, /PORV-B, /ASI, OPR-24H, DGR- 24H
Note: The sequences are defined in terms of the success or failure of event tree nodes. The symbol / indicates success of an event tree node in the sequence: /RPS = reactor protection system successful.
As mentioned above, NRC routinely uses SPAR models in generating quantified measures of the plant risk increase, e.g. ΔCCDP or ΔCDF, for plant event or condition risk importance. Although analysts are expected to at least qualitatively consider other hazard categories such as fire and external events, quantification of these other hazards is not typically performed due to the limited availability of information and/or fully validated SPAR-AHZ models. However, based on the current focus to develop all hazards models, the evolving benefits of using a SPAR-AHZ model versus an internal events-only SPAR model for a plant event or condition analysis can be assessed. Noting that the total plant CDF for an AHZ model may be as much as 10 times higher than that of the corresponding internal events CDF (see Tables 1 and 2), quantification of fire and external hazards could potentially shift the significance binning of risk
340 NEA/CSNI/R(2014)9
results, in which case the level of contribution and consistency of conservatisms applied to different scenarios can be evaluated.
The impact of the inclusion of additional scenarios in SPAR models on plant condition importance has been informally studied by using a recently created SPAR-AHZ model. A plant condition in a U.S. NPP PWR was assumed, where the auxiliary feedwater (AFW) turbine driven pump (TDP) and one of the two emergency diesel generators (EDGs) were unavailable for some period of time, from which a conditional risk importance was calculated with an internal events only SPAR model and with a SPAR-AHZ model. Table 5 shows the results for different durations of the plant condition. This plant condition is particularly challenging, especially for LOOP and station blackout (SBO) sequences. The addition of other hazard categories is observed to increase the number of LOOP and SBO sequences modeled for a NPP, usually with less favorable power recovery potential. Thus, for this example, shift in plant importance binning may occur, and moreover, may be technically justifiable.
Thus, for a plant condition that lasts for one month, one would calculate a ΔCDF risk increase of 2.8E- 05/RY considering only internal events at power, compared to 1.0E-04/RY when additional hazard categories are included (i.e., a factor of four difference). Using the criteria defined by the NRC where a different regulatory action is assigned to increasing orders of magnitude in the risk increase results, this could impact the decision made based on delta CDF for SDP classification. The same may not be true for ASP classification where a different criterion is applied to classify significant precursor events. However, it should be noted that PRA provides only one of the inputs for assigning plant condition importance within NRC’s risk-informed decision-making processes, such as SDP and ASP.
In general, the SPAR internal events PRA models have been well-exercised and maintained through continual feedback from NRC users, and are considered to be mature models. The NRC has expended significant effort benchmarking internal events against licensee PRA models and performing cross comparisons of models where appropriate. The NRC has also performed ASME/ANS PRA Standard peer reviews of typical Light Water Boiling Water Reactor (BWR) and PWR models to ensure that they are capable of supporting their intended purpose. These activities have resulted in a suite of internal events SPAR models that have achieved a high level of verification and validation. Although new SPAR-AHZ models have some level of validation, these models are at an earlier stage of maturity than the internal events models and their limited validation should be considered when the models are used. As these models are exercised through routine use, their consistency and fidelity to the as-built, as-operated NPP is expected to increase. This expected progress towards maturity is similar to the process followed by the existing internal events SPAR models, and the continuous development, usage, and enhancement of such models is considered essential in the effort to more fully characterize the risk profile for regulatory applications via a stable and converging path towards a well-defined suite of All Hazards models within the NRC.
341 NEA/CSNI/R(2014)9
Table 5. Plant Condition Importances (AFW-TDP and EDG-B Unavailable)
Condition Condition importance Change in SDP Change in ASP Plant is in importance considering Internal 9 10 the color if Internal classification if considering events plus another events + another Internal events + condition Internal events hazard category hazard category is another hazard for: only (ΔCDF) (ΔCDF) used category is used 1 day 9.1E-07 3.4E-06 Yes Yes 1 week 6.4E-06 2.4E-05 Yes No 1 month 2.8E-05 1.0E-04 Yes No 3 months 8.3E-05 3.1E-04 Yes No 6 months 1.7E-04 6.1E-04 No No 1 year 3.3E-04 1.2E-03 No Yes
Conclusions
Development of additional SPAR-AHZ models that include fire and external hazards is the subject of continuing focus at the NRC. The inclusion of external hazards and fires results in a more complete and integrated risk assessment for operational events and conditions and can improve the realism of reactor oversight processes such as the SDP and ASP programs. Although SPAR-AHZ models have somewhat limited validation compared to the internal events SPAR models, we expect that user feedback from increased use will further improve the maturity of technical quality for these models.
Two additional activities being pursued currently at the US NRC may further improve the completeness of agency SPAR-AHZ models:
1. A better process to evaluate, and, if appropriate, include in a PRA model the impact of multiple and concurrent events, with emphasis on seismically induced fire and flooding events (Reference 7).
2. A level 3 PRA model study that includes multi-unit, multi-source events (e.g. spent fuel pool and storage casks, in addition to the reactor) covering all operational modes and hazards (Reference 8).
References
1. NRC Inspection Manual Chapter 0609: Significance Determination Process
2. SECY SECY-12-0133, “Status of the Accident Sequence Precursor Program and the Standardized Plant Analysis Risk Models
3. NFPA 805, "Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants," February 2001
9 The SDP process defines for risk importance categories, each identified by a color: “Green” ( ΔCDF < 1E-06/RY), “White” (1E-6/RY < ΔCDF < 1E-5/RY), “Yellow” (1E-5/RY < ΔCDF < 1E-4/RY) and “Red” (ΔCDF > 1E-04/RY) 10 The ASP program defines two classifications based on ΔCDF: a precursor (ΔCDF > 1E-06/RY) and a significant precursor (ΔCDF > 1E-03/RY). Similar classifications also exist for ΔCCDP.
342 NEA/CSNI/R(2014)9
4. ”EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, NUREG/CR-6850, EPRI TR-1011989, September 2005
5. NUREG/CR-7039, “Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) Version 8”
6. Risk Assessment of Operational Events Handbook: Volume 2 – External Events, January 2008
7. Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, ASME/ANS RA-Sa–2009, February 2009
8. SRM SECY-11-0137 Prioritization of Recommended Actions to be Taken in Response to Fukushima Lessons Learned
9. SRM SECY-11-0089 Options for Proceeding with Future Level 3 Probabilistic Risk Assessment Activities
343 NEA/CSNI/R(2014)9
344 NEA/CSNI/R(2014)9
PSA APPROACH FOR THE EVALUATION OF EXTERNAL HAZARDS AS PART OF CNSC FUKUSHIMA ACTION ITEMS
Michael Xu Canadian Nuclear Safety Commission [email protected]
Smain Yalaoui Canadaian Nuclear Safety Commisson [email protected]
ABSTRACT
This paper introduces the PSA approach that Canadian licensees adopted to address the Canadian Nuclear Safety Commission (CNSC) Fukushima Action Items (FAIs) [1] with respect to external hazards evaluation. This paper focus on the FAIs specifically associated with the external hazard evaluation. It also briefly discusses the similarity and differences between the requirements of CNSC FAIs, the Western European Nuclear Regulators’ Association (WENRA) Stress Test [2], and the USNRC “Request for Information”[3].
This paper provides a status update on the completion of the FAIs by the Canadian licensees’ and discusses the lessons learned from the implementation of these actions items. It also identifies the importance of a closer interaction between the CNSC and other govrnent agencies for the characterization of as well as for the protection against the external natural hazards. It also highilghts some other areas that include reasearch projects on external hazards, combined methodologies from the licencees, etc.
The views expressed in this paper are those of the authors and do not necessarily reflect those of CNSC, or any part thereof.
I) INTRODUCTION
Following the events at the Fukushima Dai-ichi nuclear power plant, the CNSC established the CNSC Fukushima Task Force in April 2011 to review licensees’ responses to the CNSC order, under subsection 12(2) of the General Nuclear Safety and Control Regulations, to re-examine the safety cases of their nuclear power plants, with the objective of reviewing the capability of nuclear power plants (NPPs) to withstand conditions similar to those that triggered the Fukushima accident. Specifically, the CNSC Task Force examined the response of NPPs to external events of higher magnitude than previously been considered. Based on the post-Fukushima review, the CNSC Task Force confirms that the Canadian NPPs are robust and have a strong design relying on multiple layers of defence. The design ensures that there will be no impact on the public from external events that are regarded as credible. The design also offers protection against more severe external events that are much less likely to occur [4].
Nevertheless, the Task Force made 13 recommendations to further enhance the safety of nuclear power plants in Canada. One recommendation is specific for the external hazards.
Licensees should conduct more comprehensive assessments of site-specific external hazards to demonstrate that:
345 NEA/CSNI/R(2014)9
a) Considerations of magnitudes of design-basis and beyond-design-basis external hazards are consistent with current best international practices Consequences of events triggered by external hazards are within applicable limits
b) Such assessments should be updated periodically to reflect gained knowledge and modern requirements.
The CNSC Staff Action Plan [6] identifies 33 actions that address the 13 Task Force Report recommendations. On February 17, 2012, CNSC staff informed licensees in writing that staff had initiated 36 site specific Fukushima Action Items (FAIs) [1] to address the CNSC Fukushima Task Force recommendations. The “Fukushima Action Items – Matrix of Applicability to Stations and Status”, derived from each of the deliverables identified in the CNSC Staff Action Plan, is attached as appendix D to the document. The matrix describes the 36 FAIs applicable to each station and identifies whether an FAI is “open” or “closed”, based on staff’s current assessment. Among the 36 FAIs, two are specifically associated with the external hazard evaluation:
FAI 2.1.1 Re-evaluation, using modern calculations and state of the art methods, of the site specific magnitudes of each external event to which the plant may be susceptible.
FAI 2.1.2 Evaluate if the current site specific design protection for each external event assessed in 1 above is sufficient. If gaps are identified a corrective plan should be proposed.
These action items are to be completed by the end of 2013 and the licensees are working towards to completion of the action items. Those CNSC FAI requirements are generally in line with WENRA Stress Test Specifications [2] and USNRC “Request for information” requirements [3].
This paper focuses on the hazard analysis, which is FAI 2.1.1 of Fukushima Action Items.
II) GENERAL HAZARD SCREENING APPROACH USED BY THE LICENSEES TO ADDRESS FAI 2.1.1
Unlike WENRA Stress Test Specifications [2] and USNRC, the CNSC March 12, 2012 Letter to the Licensees [3] did not provide the detailed guidance on how to conduct the required evaluations. The licensees are expected to develop their own strategies and methodologies to address the FAI issues. These methodologies are subject to CNSC staff acceptance before they are used in the hazard analysis.
On the other hand, the licensees are required by the licence condition to conduct PSA in order to comply with the requirements of S-294 “Probabilistic Safety Assessment for Nuclear Power Plants” [5] which include both internal and external events. Compliance dates vary among the licensees but most are either in 2012 or in 2013. Some licensees choose to combine their efforts to address both license requirements and FAI requirements. The licensees generally take the same approach to meet FAI requirements, comprised with hazard identification, screening and bounding analysis, detailed analysis for unscreened hazards and seismic, high wind and external flood hazards, if applicable.
II.1) Hazard Identification
The external hazards, including man-made and natural hazards, were considered in the original site selection, plant design and safety analysis of the nuclear power plants in Canada. However, Canadian nuclear power plants were designed and constructed in the 70’s, 80’s and early 90’s. There is always a
346 NEA/CSNI/R(2014)9
need to demonstrate whether the existing plants still meet the requirements of new codes and standards with regard to the capacity of withstanding the external hazards. Most of the Canadian nuclear power plants have undergone an Integrated Safety Review (ISR), similar to the Periodic Safety Review (PSR), for the purpose of refurbishment and the external hazard analysis is one of the topics that has been fully addressed. Some of the gaps had been identified and some additional assessments had been performed such as Safety Margin Assessments to support the refurbishment projects.
During the implementation of S-294, the licensees are required to identify the external hazards to be included in the PSA by following relevant IAEA PSA guidance IAEA 50-P-4 [7], which was superseded by IAEA SSG-3 [8]. However, the licensees also take consideration of other relevant Canadian regulations and international guidance and best practices.
The governing requirements for the evaluation of external hazards for a new NPP site are contained in the CNSC regulatory document RD-346 [9] and these are usually considered by the licensees for hazard identification. This regulatory document sets expectations with respect to site evaluation and represents the CNSC general adoption of IAEA safety standard requirements documents IAEA NS-R-3 [10] for site evaluation for nuclear installations.
Various other references are also used for the generation of a list of external events to be considered in the assessment, including IAEA-TECDOC-1341[11], NUREG/CR-2300 [12], NUREG-1407 [13], ASME/ANS RA-Sa-2009 [14]. CANDU operating experiences such as event reports, and other site or regional specific external phenomenon are also included in the consideration.
II.2) Hazard screening analysis and bounding analysis
Both man-made and natural hazards are subject to the screening. The licensees methodologies of screening analysis generally follows IAEA guidance [15] which recommends a two step screening process, the preliminary screening and the detailed evaluation (bounding analysis).
Site hazard assessments follow a progressive screening approach, consisting of a series of progressively refined methods that increasingly use more detailed site-specific data to demonstrate whether the site is protected from the adverse effects of these hazards.
A preliminary screening may be carried out by the use of a ‘screening distance value’ and/or, where the available data permit, by evaluating the probability of occurrence of the event.
A second screening criterion for bounding analysis is based on the core damage frequency. The Canadian licensees generally established screening criteria based on core damage frequency of 10-6 /year. The screening criteria and methodology adapted for Canadian licensees from the US NRC and ASME are in- line with the IAEA guidance.
In order to fully address Fukushima Task force recommendation, the external hazards have to be considered through a qualitative or quantitative screening analysis. In addition, any consequential or induced events following to the external hazards need to be assessed (for example, consequential fire or flood from a seismic event).
II.3) Hazard analysis methodologies for Seismic, External Floods and High Winds
For the three types of external hazards, seismic, external floods and high winds, which are not supposed to be screened out from detailed analysis, different methodologies are developed and some of them have been accepted by the CNSC staff, specifically:
347 NEA/CSNI/R(2014)9
1. Seismic event
The seismic event has always been one of the most important external hazards to be considered in the plant site selection and plant design.
Most of Canadian CANDU nuclear power plants were designed and built in 70’s and 80’s. The Design Basis Earthquake (DBE) was usually based on the estimated probability of exceedance of 10–3 per year or was established deterministically (i.e., without probabilistic measures) [16]. Seismic PSA was not required at that time. In recent years, the design basis earthquake for CANDU nuclear power plants has changed. The new Canadian Standards Association (CSA) standard [16] requires that the design basis earthquake ground motions having a selected probability of exceedance of 10–4 per year. Thus there is a gap between the old seismic design and new requirement.
During the refurbishment project, the licensees were required to evaluate the plant capability to withstand beyond design basis earthquakes. The Seismic Margin Assessment (SMA) was usually chosen and the Checking/Review Level Earthquake (CLE) was selected at a level of a probability of exceedance of 10-04 per year.
Although all Canadian nuclear power plants had performed seismic hazard analyses at different stages of site selection, plant design, construction and refurbishment, it is a general understanding that the methodologies and the datasets used in the seismic hazard analyses have improved significantly in recent decades. Thus, this change may have impact on the current seismic design and qualification.
The licensees have conducted, or are conducting the site-specific seismic hazard studies as part of the Seismic PSA or the PSA-based SMA as part of the compliance with CNSC regulatory document S-294 [5]. The purpose of the site-specific seismic hazard assessment is to identify if the latest expert understanding of earthquakes has changed substantially compared with the previous studies. This is of particular importance since the recent US NRC data and models indicate that estimates of the potential for earthquake hazards for some nuclear power plants in the Central and Eastern United States (CEUS) may be larger than previous estimates. This was identified as generic issue GI-199 [17]. While it has been determined that currently operating plants remain safe, the recent seismic data and models warrant further study and analysis.
The general approach for the conduct of Probabilistic Seismic Hazard Analysis (PSHA) for the licensees is taken from the recommendations from IAEA [18, 19], USNRC [20, 21, and 22] and EPRI guidance [23]. Problems in PSHA studies for regions with low to moderate seismicity may arise from the fact that, due to the small number of strong-motion earthquakes in such regions, attenuation relationships must start with those taken from other regions with available strong motions. This could lead to inconsistencies or to large uncertainties, depending on experts choices. The results of site-specific or regional specific probabilistic seismic hazard analysis results are also compared with other studies, such as Canadian Geological Survey seismic hazard values in support of the National Building Code of Canada (NBCC), and CEUS SSC model [24] results.
The completed licensees’ Probabilistic Seismic Hazard Analyses are reviewed by the seismologists from Natural Resources Canada (NRCan).
348 NEA/CSNI/R(2014)9
2. External floods
For historical reason, the flood risk analysis focuses on the estimation of design-basis floods at nuclear power plant sites. This methodology is currently based on a set of deterministic approaches that specify the “probable maximum” flood precursor events. Hydrologic, hydraulic, thermal, and hydrodynamic models are also used to predict a set of extreme candidate floods at the site from which the most severe design- basis flood hazards are selected. Some of the extreme events, such as tsunami and seiche, were screened out from detailed analysis for most of the coastal nuclear power plants in Great Lakes region due to the non observed occurrence in the history, low frequency, or low impact.
In light of Fukushima accident, the external flood becomes one of the major concerns. CNSC staff expects the licensees to evaluate the impact of the flooding events. Canadian licensees follow international best practices for the flood risk assessment.
The screening analysis, combined with bounding analysis is used as the first step of the flood risk assessment. If the specific external flooding scenarios are screened in, the detailed risk assessment is then performed.
It is recognized that a comprehensive Probabilistic Flood Hazard Assessment (PFHA) methodology has not yet been developed [25]. However, discrete components of the PFHA are now available, although the overall framework still needs to be developed. The current challenge for the licensees in Canada is that they need to find suitable methodologies themselves to complete the studies. Most of them teamed up with experienced US consultant companies to develop the probabilistic hazard analysis methodology.
Since most of the CANDU nuclear power plants are located on the coastal areas of the Great Lakes, consideration should be given to the impact of the tsunamis, seiches and storm surges.
2.1 Tsunamis
Tsunami occurrences in Canada are rare, with the Pacific Coast at greatest risk due to the higher occurrence rate of earthquakes and landslide activity. For the tsunami hazard of coastal regions, Natural Resource of Canada has conducted a probabilistic tsunami hazard analysis in 2012 and published the results [26] and provides the maximum run-up levels expected to occur within time periods of 50, 100, 500, 1000, and 2500 years for three coastal regions, Atlantic, Pacific and Arctic.
For the Atlantic coastal site, the tsunami hazard is also screened out due to the relatively low Tsunami run- up levels and high plant elevation.
Most of the Canadian nuclear power plants are located by the Great Lakes licensees have conducted their own evaluations of the tsunami risk. The recent assessment conducted by Ontario Power Generation (OPG) [27, 28] evaluated the tsunami risk on lakeside site and concluded that the Great Lakes are a geologically stable region where the shorelines are not generally susceptible to shore slope failure or landslide. No tsunamis have been recorded in the Lake Ontario thus a tsunami is considered an improbable event and there is no associated flood hazard potential for this site. Same conclusion has been obtained by Bruce Power who is located at the Great Lakes.
2.2 Seiches and storm surges
The recent OPG assessment [28] of the historical records has shown that the risk of seiche or storm surge for the coastal areas of the Great Lakes may not be screened out from further analysis. Thus, the detailed analysis is going to be performed by the licensees. Currently, the licensees are developing the methodology for perform the assessment.
349 NEA/CSNI/R(2014)9
2.3 Combinations of floods
The combinations of the floods have already been considered in the licensee’s methodologies. The current approach by the licensees is to combine some “probable maximum” flood precursor events. The probabilistic approach is also considered when it is applicable.
CNSC staff is currently comparing licensees’ methodologies with USNRC guidance [29, 30] and other international guidance.
3. High winds
High wind hazard is recognized as a potential risk to the Canadian nuclear power plants even before the Fukushima accident. Most of Canadian nuclear power plants were designed to withstand certain wind loads based the old versions the Canadian Building Codes, except the Darlington Nuclear generating station which was designed to a F4 wind load on the Fujita wind scale. Therefore, these NPPs have already performed or are in the process of performing a high wind risk assessment to ensure there will be no unacceptable risk.
New methodologies are developed based on the insights taken from USNRC [31, 32, 33] and other literatures.
Usually two types of winds have been considered, straight winds and tornados. The data for straight wind are obtained from the anemometer records from the site and from regional stations, such as airports. For the tornados, the wind speed is associated with the damage scale (Fujita scale or enhanced Fujita scale) due to tornado data record are based upon interpretations of the available evidence of tornado damage characteristics..
Canadian licensees usually use the data derived from Environment Canada (EC), Ontario Climate Centre, US National Weather Service (NWS) Storm Prediction Centre, US National Oceanic and Atmospheric Administration (NOAA) Storm Prediction Center. Some Canadian gust wind speed data in the form of daily or monthly peak gust wind speeds can be found from US wind speed data is available from the National Climatic Data Center (NCDC) in NOAA.
Canadian tornado database contains the date, position, and estimated F-Scale for each tornado. US Database such as NOAA Storm Prediction Center database provides more data and can be used for generate hazard curve or for comparison purpose.
Since USNRC has accepted to use Enhanced –Fujita (EF) scale in RG 1.76 “Design basis Tornados”[31] regulatory guide which is based on Revision 2 of NUREG/CR-4461 [33] while Canada is still use Fujita scale, when Canadian licensees combine the two sets of database to generate the site specific high wind hazard curves, weighting factors are used.
On April 1, 2013, Canada officially adopted Enhanced Fujita (EF) Scale [34]. This change may have impact on the current high wind hazard analysis results. CNSC staff is reviewing the impact of the introduction of the new EF scale to the existing analysis
It also worth to mention that the Canadian government (Environment Canada) and researchers have put a lot to effort into improving the quality of the data in the Tornado database of Ontario, as well as better understanding of tornado risk in Ontario where most of the Canadian nuclear power plants are located[35, 36, 37].
350 NEA/CSNI/R(2014)9
The current state-of-the-art method to estimate the wind hazards relies on the extrapolation of the historical data using probabilistic models. However, due to the fact that the data observed from relatively short period of time (several decades) are extrapolated to estimate the extreme value of high wind for return period of one thousand, ten thousand or even over one hundred thousand years, the uncertainty may be significant and it must be treated properly. Usually the licensee compares the results from different methodologies or different data sources to ensure the results are reasonably correct.
4. Other consequential risks
Seismically induced internal fires and floods are also considered by the licensees to address the FAI. The methodology used by OPG and Bruce Power was prepared in partnership with the Electrical Power Research Institute (EPRI), including reviews by EPRI staff and U.S. and European utilities. It was also reviewed by Canadian utilities and PRA vendors. CNSC is following with interest the progress of the USNRC plan [38] in the development of the PSA methodology for seismic induced internal fires and internal floods.
5. cliff-edge effects
CNSC FAIs requires the Canadian licensees to evaluate the cliff-edge effects as this is also the case for both WENRA Stress test specifications and the USNRC letter to the licensees.
III) LESSONS LEARNED FROM THE IMPLEMENTATION OF FAIS
So far, CNSC staff has conducted some preliminary review for some of the methodologies and results. The authors are also involved in the review of the methodologies. The first stage of the implementation of FAIs has brought up some observations and areas that needed some guidance and/or clarification. These are:
1. Guidance on how to meet FAI requirements
FAIs provide the “what to do” and do not provide the details on the “how to”. FAIs only state that the licensees may use the PSA to address the FAI regarding external hazards. On the other hand, CNSC regulatory document S-294 requires the licensees to seek for CNSC acceptance of the PSA methodologies prior to the conduct of the PSA.
The licensees have to develop their own methodologies to evaluate the external hazards, and the development of the hazard evaluation methodology is largely based on licensees themselves. The selection of literatures and application of the published methodologies depend on the licensees and their consultants. This situation may cause inconsistence between licensees’ approaches.
The situation is different in the US, where the US NRC provided more detailed guidance to the licensees which ensures consistency in the final hazard evaluations.
2. The quality of the data used in the hazard analysis may need improved
The data, especially the meteorological data, are very important for the probabilistic hazard analysis since many methods extrapolate the available observations to the extreme events. In Canada, the licensees have to relay on some published data and some studies. It is usually the case that the existing data are not sufficient for the hazard analysis for the certain sites. Thus, the licensees have to use US data to complements the Canadian data. CNSC may need to cooperate with other Canadian government agencies, to develop the relatively sufficient, accurate datasets.
351 NEA/CSNI/R(2014)9
3. Regional characterization of some hazards
Some important hazards, such as tornado, tsunami, and seiche, may be regionally characterized through the joint research or cooperation between several government agencies. There are some research programs going on in other Canadian government agencies for tornado, tsunami, etc... A close interaction between the CNSC and the federal and provincial authorities is recognized.
Tornado – since the tornado is a relatively frequent natural hazard in Southern Ontario and most of the Canadian’s nuclear power plants are located within this area, it is very important to have a comprehensive characterization of the tornado hazard within this region. Currently there are a couple of research projects going on in other Canadian government agencies.
Tsunami – Natural Resources Canada (NRCan) has conducted a probabilistic tsunami hazard analysis for Canadian coastal areas in 2012 [26]. However, this report only estimates the frequencies of two categories of run-up levels, 1.5 meters and 3 meters and the probability of up to 2500 years. Although this is a good start, the results may need to be refined to suit the application for nuclear power plants.
The results of these studies may not only be used by the licensees to conduct their site specific hazard assessment, but also be used for other applications such as site selection and plant design. CNSC staff can also compare the licensee’s site-specific hazard with the regional hazard.
4. Consistency in hazard analyses methodologies
Although licensees are supposed to submit their methodologies separately to CNSC for the acceptance, some licensees have teamed up and combined their efforts to develop common methodologies for their analyses. This attempt makes the final results more consistent among the licensees. It also makes it more efficient for both the licensees and the regulator since the CNSC has only to review one methodology.
5. Closure criteria for the FAIs
It is recognized that the closure criteria of the FAIs are not sufficient detailed. CNSC staff is using US NRC staff guidance [29, 30] and other international guidance for the review of licensees’ submissions.
6. The treatment of uncertainty in the probabilistic hazard analysis
The licensees are currently using the extreme value analysis (EVA) method to generate the hazard curves. Although this method is acceptable and it is also considered up-to-date, care should be taken in attempting to fit an extreme value distribution to a data set representing only a short period of time. Therefore, the uncertainty of the results should be addressed.
7. Impact of climate change on some external hazards
CNSC regulation for site selection [9] requires that the climate change has to be considered in the hazard evaluation. Recent research in global climate change has shown that the climate change has significant effects on the frequency and intensity of extreme meteorological events. Although the current FAIs do not explicitly require the licensee to address this issue, CNSC and the licensees may conduct some research projects with other Canadian government agencies to evaluate the impact of climate change to the extreme meteorological hazards.
352 NEA/CSNI/R(2014)9
IV) SUMMARY
All Canadian licensees are currently preparing their plant specific reports to address the relevant FAIs. Some preliminary hazards screening reports, as well as the reports for probabilistic seismic hazards analysis, external flood hazard and high wind hazard have been submitted to CNSC. CNSC, in conjunction other Canadian government agencies, are currently reviewing these reports to determine their acceptability. The licensees are expected to submit all required reports by the end of this year.
In the mean time, other Fukushima actions requiring facility enhancements are underway for some licensees. These include:
acquiring additional emergency mitigating portable equipment, such as power generators and pumps, which can be stored onsite and offsite and used to bring reactors to a safe shutdown state, in the unlikely event of a severe accident (short term)
increasing capabilities to control hydrogen and other combustible gases (e.g., procurement of passive autocatalytic recombiners (PARs) and monitoring equipment to be installed in reactor buildings and spent fuel pool areas; PARs can prevent hydrogen concentration from rising to combustible or explosive levels (medium term)
improving containment so as to prevent unfiltered releases of radioactivity resulting from an accident not previously considered credible (e.g., installing emergency filtered containment venting) (long term)
It is expected that once these safety enhancements are implemented, the safety of the nuclear power plants will be further improved.
Based on the available information, the authors have the following conclusions:
1) The CNSC FAIs in regard to external hazard analysis are in line with both the Western European Nuclear Regulators’ Association (WENRA) Stress test specifications and the US NRC letter to the licensees;
2) The methodologies developed by the Canadian licensees generally follow international consensus guidance and best practices;
3) Lessons learned from international community have been implemented in the development of Canadian methodologies for external hazard analyses;
4) The results of the FAIs will improve the understanding of the actual external hazard risks and will provide assurance about the capability of nuclear power plants (NPPs) to withstand conditions similar to those that triggered the Fukushima accident.
REFERENCES
[1] Canadian Nuclear Safety Commission, CNSC Staff Action Plan on the CNSC Fukushima Task Force Recommendations including site specific measures undertaken by CNSC staff, CMD 12-M23, May, 2012 http://www.nuclearsafety.gc.ca/eng/commission/pdf/CMD12-M23withAttachments-e.pdf
[2] European Nuclear Safety Regulators Group (EUSRG), “EU Stress Test Specifications”, May 13, 2011 http://ec.europa.eu/energy/nuclear/safety/doc/20110525_eu_stress_tests_specifications.pdf
353 NEA/CSNI/R(2014)9
[3] USNRC, “SUBJECT: REQUEST FOR INFORMATION PURSUANT TO TITLE 10 OF THE CODE OF FEDERAL REGULATIONS 50.54(f) REGARDING RECOMMENDATIONS 2.1,2.3, AND 9.3, OF THE NEAR-TERM TASK FORCE REVIEW OF INSIGHTS FROM THE FUKUSHIMA DAI-ICHI ACCIDENT”, Mar 12, 2012
[4] CNSC, “CNSC Fukushima Task Force Report”, INFO-0824, Oct 2011http://nuclearsafety.gc.ca/pubs_catalogue/uploads/October-2011-CNSC-Fukushima-Task- Force-Report_e.pdf
[5] CNSC, “Probabilistic Safety Assessment for Nuclear Power Plants”, Regulatory Standard, S-294, June 2005 http://nuclearsafety.gc.ca/pubs_catalogue/uploads/S-294_e.pdf
[6] Canadian Nuclear Safety Commission, “INFO-0828, CNSC Staff Action Plan on the CNSC Fukushima Task Force Recommendations”, Dec 2011 http://www.nuclearsafety.gc.ca/pubs_catalogue/uploads/INFO-0828-Draft-CNSC-Staff-Action- Plan-on-Fukushima-Dec-2011_e.PDF
[7] IAEA, “Procedures for Conducting Probabilistic Safety Assessments of Nuclear Power Plants (Level 1)”, 50-P-4, 1992
[8] IAEA Safety Standard SSG-3, “Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants”, 2010
[9] CNSC, “Site Evaluation of New Nuclear Power Plants”, RD-346, 2008http://www.nuclearsafety.gc.ca/pubs_catalogue/uploads/RD-346_e.pdf
[10] IAEA, “Site Evaluation for Nuclear Installations”, NS-R-3, 2003
[11] IAEA, “Extreme external events in the design and assessment of nuclear power plants”, IAEA- TECDOC-1341, Mar 2003
[12] USNRC, “PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants”, NUREG/CR-2300, Jan 1983
[13] USNRC, “Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities”, NUREG-1407, June 1991
[14] ASME/ANS, “Addenda to ASME/ANS RA-S-2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications”, ASME/ANS RA- Sa-2009, Feb, 2009
[15] IAEA, “External Human Induced Events in Site Evaluation for Nuclear Power Plants”, NS-G-3.1, 2002
[16] Canadian Standard Association, “General Requirements for Seismic Design and Qualification of CANDU Nuclear Power Plants”, N289.1-08, 2008
[17] USNRC, GENERIC ISSUE 199, “Implication of Updated Probabilistic Seismic Hazard Estimates in Central and Eastern United Stated of America”, June 5, 2005
[18] IAEA, Specific Safety Guide SSG-9, “Seismic Hazards in Site Evaluation of Nuclear Power Plants”, 2010
354 NEA/CSNI/R(2014)9
[19] IAEA, Safety Guide, NS-G-2.13, “Evaluation of Seismic Safety for Existing Nuclear Installations”, 2009
[20], USNRC, NUREGICR-0098, "Development of Criteria for Seismic Review of Selected Nuclear Power Plants", N.M. Newmark, W.J. Hall, May 1978
[21], USNRC, “Central and Eastern United States Seismic Source Characterization for Nuclear Facilities”, NUREG-2115, Nov 2011
[22] USNRC, “Recommendations for Probabilistic Seismic Hazard Analysis: Guidance on Uncertainty and Use of Experts”, NUREG/CR-6372, Apr 1997
[23] EPRI, “Seismic Hazard Methodology for the Central and Eastern United States, Volumes, Revision 1”, EPRI NP-4726 V1P1, Jul 1986
[24] USNRC, EPRI, “Central Eastern United States – Seismic Source Characterization for Nuclear Facilities”, 2012 http://www.ceus-ssc.com/
[25] USNRC, “Design-Basis Flood Estimation for Site Characterization at Nuclear Power Plants in the United States of America”, NUREG/CR-7046, November 2011
[26] Natural Resource Canada, “A Preliminary Tsunami Hazard Assessment of the Canadian Coastline”, GEOLOGICAL SURVEY OF CANADA OPEN FILE 7201, 2012 ftp://ftp2.cits.rncan.gc.ca/pub/geott/ess_pubs/292/292067/of_7201.pdf
[27] Ontario Power Generation, Site Evaluation of the OPG New Nuclear at Darlington - Part 3: Summary of Seismic Hazard Evaluations, NK054-REP-01210-00015-R001, Sept, 2009 http://www.ceaa.gc.ca/050/documents_staticpost/cearref_29525/0105/ai-p3.pdf
[28] Ontario Power Generation, Site Evaluation of the OPG New Nuclear at Darlington - Part 5: Flood Hazard Assessment, NK054-REP-01210-00012-R001, Sept, 2009 http://www.ceaa.gc.ca/050/documents_staticpost/cearref_29525/0105/ai-p5.pdf
[29] USNRC, “Guidance for Performing the Integrated Assessment for External Flooding”, JLD-ISG- 2012-05, Nov 2012, ML12311A214
[30] USNRC, “Guidance for Performing a Tsunami, Surge, or Seiche Hazard Assessment – interim Staff Guidance”, JLD-ISG-2012-6, Jan 2013, ML12314A412
[31] USNRC, Regulatory Guide, “Design-Basis Tornado and Tornado Missiles for Nuclear Power Plants”, RG 1.76, Rev 1, Mar 2007
[32] USNRC, “Technical Basis for Regulatory Guidance on Design-basis Hurricane Wind Speeds for Nuclear Power Plants”, NUREG/CR-7005, Nov 2011
[33], USNRC, “Tornado Climatology of the Contiguous United States”, NUREG/CR-4461, Revision 2; PNNL-15112, Revision 1, 2007
[34] Environment Canada, “Enhanced Fujita Scale (EF-Scale)” http://www.ec.gc.ca/meteo-weather/default.asp?lang=En&n=41E875DA-1
355 NEA/CSNI/R(2014)9
[35] DAVID SILLS, ETC., “THE TORNADOES IN ONTARIO PROJECT (TOP)”, 2004
[36] Cao, Z., and Cai, H., “Detection of Tornado Frequency Trend Over Ontario, Canada”, The Open Atmospheric Science Journal, 2011, 5, 27-31
[37] David Sills, “A Fresh Spin on Tornado Occurrence and Intensity in Ontario”, Presentation on 2012 GLOM Workshop, 14-16 Mar, Chicago, IL http://www.crh.noaa.gov/Image/lot/GLOMW/Presentations/D2S4T1_Sills_GLOMW2012_TOP_FI NAL2.ppt
[38] USNRC, “Plan for the Development of a Methodology for Seismically Induced Fires and Floods”, July 2012, ML121450226
356 NEA/CSNI/R(2014)9
357 NEA/CSNI/R(2014)9
358 NEA/CSNI/R(2014)9
359 NEA/CSNI/R(2014)9
360 NEA/CSNI/R(2014)9
361 NEA/CSNI/R(2014)9
362 NEA/CSNI/R(2014)9
363 NEA/CSNI/R(2014)9
364 NEA/CSNI/R(2014)9
THE ROLE OF EXTERNAL EVENTS PSA IN THE FINNISH REGULATORY APPROACH
Jorma Sandberg and Ulla Vuorio Radiation and Nuclear Safety Authority (STUK), Finland
ABSTRACT
PSA has been used in Finland to support regulatory decision making since the late 1980’s. Seismic events, harsh weather and other off-site external events were included in the PSA models of the operating units in 1990’s and several updates and extensions have been carried out since then. For new units a preliminary full scope PSA is required at the design phase and it shall be refined during construction.
The Finnish environmental conditions are, in general, moderate with no recorded destructive earthquakes and no experiences from extensive destruction by other natural events. However, even moderate external events may result in significant risks, if they are not properly considered in the design. For example, the northern climate poses some challenges to the design of nuclear power plants.
According to the current view, the original design basis of the operating units for seismic and other external events was not in all respects adequate. External events PSA has had an important role in evaluating the safety of the units and in making decisions on safety improvements. For new units external events have been considered extensively starting from the early design phase. External events PSAs were also used in the national and EU “stress tests” after the Fukushima accident.
1 INTRODUCTION
The external natural conditions in Finland can be described as moderate. No destructive earthquakes or tsunami waves have been observed. Storms are not comparable to tropical cyclones and strong tornadoes are rare. Snowstorms are common but not as severe as, e.g., the North American blizzards. Nevertheless, significant risks due to external natural and human induced hazards have been identified in external events PSAs and other safety analyses, and the Finnish utilities have used considerable efforts to improve the resistance of nuclear facilities to external events on nuclear facilities during the past twenty years. The assessments cover seismic events, external flooding, extreme weather, frazil ice formation and impurities in the seawater (including algae and oil spills from oil transport accidents).
There are four operating nuclear power plant (NPP) units in Finland: Teollisuuden Voima Oy (TVO) power company has two 840 MWe BWR units supplied by Asea-Atom at the Olkiluoto site and Fortum (formerly IVO) has two 500 MWe VVER 440/213 units at the Loviisa site. Seawater is used as the ultimate heat sink for both plants. The operating units were commissioned in 1977 – 1982. On both sites there is an intermediate water pool storage for spent fuel and a final repository for low and intermediate activity nuclear waste.
At the Olkiluoto site a new unit, Olkiluoto 3 (OL3), has been under construction since 2005. OL3 is a 1600 MW EPR type pressurized water reactor supplied by Areva NP. In addition, the Finnish Government has granted a decisions in principle for an additional unit at the Olkiluoto site (OL4) and for one unit to be built by a new utility, Fennovoima, on a green field site.
365 NEA/CSNI/R(2014)9
2 REGULATORY REQUIREMENTS
Requirements on the use of PSA
The probabilistic Safety Analysis (PSA/PRA) is a mandatory licensing document in Finland. The first requirements on the use of PSA for existing Nuclear Power Plants (NPP) were set forth in 1984 in a STUK decision requiring that the utilities Fortum (former Imatran Voima Oy) and TVO conduct extensive PSA for the Loviisa and Olkiluoto nuclear power plants. The objective of the study was to determine the plant-specific risk topographies of the essential accident sequences. Another important objective was to enhance the plant personnel’s understanding of the plant and its behaviour in different situations. There PSAs were also to be updated regularly. Therefore STUK also required that the PSAs are performed mainly by the utility personnel and external consultants are used only for special topics.
The requirements on PSA have been included in the mandatory legislation since 1988. The Nuclear Energy Decree (161/1988) requires that the operating licence applicant submit a PSA to STUK for reviewing the application. The requirement on a preliminary design phase PSA in connection with the construction licence application was included first in the regulatory Guide YVL 2.8 issued by STUK in 1996 and in 2008 also in the Nuclear Energy Decree. [1]
According to the Government Decree on Nuclear Safety (733/2008) PSA shall be maintained and revised if necessary, taking into account operating experience, the results of experimental research, plant modifications and the advancement of calculation methods.
The detailed requirements on the use of PSA are set forth in the Regulatory Guide YVL 2.8 on PSA issued by STUK. The Guide was updated in 1996 and 2003. Currently the Guide requires a full-scope PSA for power operation and low-power and shut-down states, including internal events, fires, floods, seismic events, harsh weather and other external events. PSA shall cover the probability of core damage (Level 1) and large release of radioactive substances (Level 2). PSA shall be updated continuously to reflect plant and procedure modifications and changes in reliability data (Living PSA).
Guide YVL 2.8 Probabilistic safety analysis in safety management of nuclear power plants [1] currently in force includes the following probabilistic safety goals:
- Core damage frequency mean value less than 1·10-5/year
- Large radioactive release (> 100 TBq Cs-137) frequency mean value less than 5·10-7/year.
These safety goals apply as such to new NPP units. For operating units, instead of the numerical safety goals, the SAHARA (safety as high as reasonably achievable) principle and the principle of continuous improvement are applied.
Guide YVL 2.8 also includes requirements on several risk-informed applications, such as analysis of plant modifications, risk-informed in-service inspections and testing, development of emergency operating procedures and training programmes and review of safety classification and Limiting Conditions for Operation.
For a new plant unit, a preliminary PSA (design phase PSA) shall be submitted to STUK for the review of the construction licence application. The design phase PSA shall cover Level 1 and Level 2 for power operation and shutdown states and for all groups of initiating events, including seismic events and other external events. The PSA shall be updated and extended during construction and the updated PSA shall be submitted for the review of the operating licence application, see Table 1.
366 NEA/CSNI/R(2014)9
PSA computer models shall be made available to STUK. STUK uses PSA routinely to support its decision making, for example, in review of plant modifications and applications for exemption from Limiting Conditions for Operation and in analysis of operating events.
Table 1. PSA and Licensing of NPPs in Finland [2].
Decision in principle (DiP) on the construction of a nuclear power plant
• Political debate on whether using nuclear energy is for the overall good of society • Acceptance by the site municipality is a precondition • STUK’s preliminary safety assessment (PSA not required at this stage) • Government decision and Parliament ratification/rejection
Application for a construction license, (CDF < 1E-5 /a, LRF < 5E-7 /a)
• Submission of level 1 and 2 design phase PSA to STUK, including external events • Evaluation of the acceptability of design phase PSA – (Upgrade of PSA and/or the plant design)
Construction phase
• Completion of design phase PSA (Applications such as RI-ISI, RI-IST, RI-TS, RI-PM, Training, Procedures, Safety classification of SSC)
Application for an operating license, (CDF < 1E-5 /a, LRF < 5E-7 /a)
• Submission of level 1 and 2 PSA to STUK • Evaluation of the acceptability – (Upgrade of PSA and/or the plant)
Operation phase
• Regular update of PSA • Utilization of PSA during operation (Plant modifications, RI-ISI, RI-IST, RI-TS, RI-PM, Training, Procedures, Incident and Event Analysis)
Guide YVL 2.8 is being updated in STUK’s ongoing renewal of Regulatory Guides. In the new Guide YVL A.7 Nuclear power plant probabilistic risk analysis and risk management requirements on the use of PSA in the decommissioning phase have been added and the list of applications and documents to be submitted to STUK have been specified.
Requirements on design for external events
The general deterministic requirements for considering external events in the design of a NPP are set forth in the Government Decree on the Safety of NPPs. Detailed requirements for seismic design are presented in the Guide YVL 2.6 Seismic events and nuclear power plants. The deterministic treatment of other external events has been on a very general level in the Regulatory YVL Guides. In Guide YVL 1.0 Safety criteria for design of nuclear power plants it is briefly stated that external events shall be taken into consideration in the design and a list of some examples is given.
367 NEA/CSNI/R(2014)9
The external events will be treated in more detail in the new Guide YVL B.7 Protection of nuclear facilities against internal and external hazards to be published in the 2013. The guide includes requirements on design for seismic events and for other external events. The part on seismic design is an updated version of the current Guide YVL 2.6 and the part on other external events is entirely new. The guide also includes requirements on layout design, separation of safety divisions and design for internal hazards other than fires. The new guide will be used as such in the new NPP projects and a separate decision will be made on the extent of application of the new guide to units in operation or under construction. Malevolent acts, including the large airplane crash, are treated in Guide YVL A.11 Security arrangements of a nuclear facility.
External events have to be included in the general design basis of safety systems up to intensities determined with site specific analyses. Rare events exceeding the general design basis have to be considerd as design extension conditions of class C (DEC C). The design for DEC C events can be based on best estimate analyses and the single failure criterion need not be observed, as explained in draft Guide YVL B.1 Safety design of a nuclear power plant.
Seismic design basis
When applying for a construction licence for a nuclear facility, the applicant shall submit to STUK a proposal for site-specific design basis earthquake. The design basis earthquake shall be defined so that in the current geological circumstances the anticipated frequency of occurrence of stronger ground motions at the site is not more often than once in a hundred thousand years (1·10–5/y) at the median confidence level. In addition to the area’s seismic history, also regional and local geology as well as tectonics shall be considered.
In practice, the design basis earthquake must be determined with Probabilistic Seismic Hazard Analysis (PSHA), although the use of any specific standard or procedure is not required. The design basis earthquake submitted by the licence applicant is reviewed by STUK using national or international experts as consultants if necessary. Due to the long duration of the review of the PSHA results and the possible updates, the license applicant can ask STUK to give its preliminary opinion on the design basis earthquake well before submitting the construction licence application.
According to the IAEA guides the design basis PGA should be at least 0.1 g. As the calculated PGA is lower for the Olkiluoto and Loviisa sites, the PGA value 0.1 g is used as the design basis value.
Earthquakes with frequency of exceedance between 10-7/year and 10-5/year have to be considered as design extension condition DEC C. For example, in Olkiluoto the design basis PGA is 0.1 g and the DEC C PGA level is 0.23 g according to the current hazard curves. The compliance with the DEC C requirements can be shown with seismic margin assessment. The seismic resistance of a system, structure or component is considered sufficient, if the HCLPF (High confidence, low probability of failure) value (5 % failure probability at 95 % confidence level) is less than the DEC C earthquake PGA.
The principles on seismic classification are set forth in the new Guide YVL B.2 Safety classification of systems, structures and components in nuclear facilities.
The licensee shall demonstrate that the structures and components with seismic design requirements meet the requirements. Demonstration may be in the form of analyses, tests, up-to-date empirical assessments or their combinations.
368 NEA/CSNI/R(2014)9
Other external events
According to the draft Guide YVL B.7 a report on the design for external events shall be submitted to STUK for the review of the construction licence application. The report shall describe the external events and conditions and their combinations which are considered in the design and the provision for proction against them. In practice, the external events PSA screening analysis can be used to support this report.
At least the following events and conditions have to be considered in the design of a nuclear facility:
high and low seawater level
ice, including pack ice and frazil ice
impurities in the seawater (algae, mussels, oil)
high or low atmospheric temperature
high winds incl. tornadoes and downbursts
high or low as well as variable air pressure
rain, snow, hail
freezing rain and splashes from sea or watercourses
atmospheric moisture, fog, mist, rime ice
lightning
drought
magnetic interference caused by solar bursts.
Hazard curves shall be determined for quantifiable hazards based on observed data from the site or its vicinity.
The following general principles shall be followed in selecting design values for external events and conditions
design values shall include an adequate margin in relation to the peak values measured at the facility site and in its vicinity
in determining design values, phenomena shall be examined whose estimated frecuency of occurrence at the site is higher than 10-5/year at the median confidence level
if it can be reliably shown that an external event or condition has no effect on a certain postulated accident, a design value corresponding to exceedance frequency 10-4/year can be used for the systems required for managing the postulated accident in question
369 NEA/CSNI/R(2014)9
the safety significance of safety-important systems, structures and components shall be considered in selecting their design values and the adequacy of the design values shall be justified.
The dependencies affecting the simultaneous occurrence of external events are to be taken into account in selecting design values as well as in applying the redundancy and separation principles. A hazard arising from unlawful action need not be taken into account simultaneously with external hazards caused by exceptional natural phenomena or regular human actions.
Exceptional external events and conditions with an estimated frequency of occurrence less than 10-5/ year shall be considered as design extension conditions (DEC C events). The licence applicant/licensee shall present and justify external phenomena considered as DEC C events. In selecting the phenomena and their magnitude, the limit values for core damage frequency (CDF) and large release frequency (LRF) presented in Guide YVL A.7 shall be taken into account. A justified marginal in relation to the observed maximum values of the phenomena shall be incorporated in the DEC C design values.
To take into consideration the large uncertainties in the distribution of extreme seawater level values and to ensure sufficient margin for seawater flooding, sea water level design shall be at least the water level estimated possible at the site once in a hundred years (median confidence level) added with two metres and a site-specific wave margin.
The licensee shall have procedures for the monitoring of external hazards affecting facility safety and for operation during situation with a clearly increased possibility of an external event affecting the safety functions and also during events involving an external event that has compromised implementation of the safety functions.
The adequacy of design values for external events and conditions shall be verified by means of probabilistic safety analysis. The PSA shall take into account interdependcencies between natural phenomena. Draft Guide YVL A.7 presents limits for a core damage frequency (CDF) and a large release frequency, which include also external hazard contribution.
3 EXTERNAL EVENTS PSA FOR THE FINNISH NPP UNITS
Seismic PSA
When the Olkiluoto and Loviisa NPPs were built there were no requirements on the seismic design of NPPs in Finland because the seismicity in Finland is very low. However, later the risk analyses have helped to identify some vulnerabilities in the NPPs 74, 5, 6, 8, 11].
The seismic risk analysis for the Olkiluoto NPP was completed in 1997. The peak ground acceleration with a 105 year return period was estimated as about 0.08 g. First, the core damage frequency due to seismic phenomena was found to be quite high and it was the dominating fraction in the total core damage frequency, Fig. 1. The risk was mainly due to poor supports of batteries, rectifiers and inverters of direct current systems. When the supports were improved, the seismic risk was reduced to a fraction. The remaining risk was mainly due to relay chatter possibly resulting in dangerous combinations of spurious signals that could lead, in the worst case, to simultaneous opening of reactor relief valves and isolation of emergency core cooling systems. Plant modifications were later implemented to fix the problem. According to current seismic PSA the seismic CDF is 1.7·10-7/year or 1.3 % of the total CDF.
For Loviisa NPPs seismic risk study was done in the early 1990’s. In the Loviisa area the seismic activity is slightly lower than in Olkiluoto. The core damage frequency due to seismic events was found to be small
370 NEA/CSNI/R(2014)9
but the uncertainty of the results is high. During 2007-2010 the seismic PSA of the Loviisa NPP was updated using more detailed finite element modeling and quantification techniques. The updated seismic CDF 1.3·10-7/year is less than 0.5 % of the total CDF and an order of magnitude lower than the earlier results. Especially, the fragility analyses of major components such as feedwater tanks and seismic response analyses of the reactor and turbine buildings contributed to the risk estimate reduction. According to the updated seismic PSA the steam generators are the most significant contributors to seismic risk. [11]
Earthquakes were included in the original design basis of Olkiluoto 3. Seismic PSA has not been finalized but according to the preliminary results the seismic risk is very low.
Non-seismic external events PSA
The external events PSA for the operating Finnish NPP units ware conducted in the 1990’s and since then several updates and extensions of the scope have been carried out as described, e.g, in [3, 4, 5, 7].
Loviisa
Potential risks identified at the Loviisa NPP by the early external events PSA included blockage of the seawater intake rotating screen filters by algae or other impurities. The consequent loss of residual heat removal could develop into a small loss of coolant accident due to the failure of main circulation pump seal cooling. Later the possibility of a major oil transport accident at the Gulf of Finland turned out to be a significant contributor to the risk of seawater intake blockage. Several modifications of the plants systems and emergency operating procedures were implemented based to remove or decrease these risks, including alarms on presse difference due to starting blockage of the rotating screen filters and alternative seawater intakes from the outlet side.
Figure 1. The development of the Olkiluoto 1 and 2 NPP units core damage frequency estimate [1/year] corresponding to different initiating event groups.
371 NEA/CSNI/R(2014)9
Figure 2. The development of the Loviisa 1 NPP unit core damage frequency estimate [1/year] corresponding to different initiating event groups.
Currently the contribution of the non-seismic external events to the CDF is 7.3·10-6/year or 24 % of the total CDF 3.05·10-5/year. The main contributors are oil slick during cold shutdown states with unpressurized primary circuit when residual heat removal cannot be done from the secondary side, extreme wind (> 45 m/s) capable of extensive structural damage, snowstorm and lightning and high seawater level during shutdown with open hatches in the seawater system.
Olkiluoto 1 and 2
For Olkiluoto 1 and 2 the current core damage frequency (CDF) estimate is 1.34·10-5/year. The loss of feedwater due to external events makes a contribution of about 34 %, and the loss of off-site power due to external events about 5.7 % of the total CDF. About 20 % of accident sequences corresponding to these initiating event groups involve blockage of seawater intakes by oil slick, algae or frazil ice.
Olkiluoto 1 and 2 are sensitive to the loss of seawater cooling due to two characteristic system dependencies in the units. First, the auxiliary feed water system has piston pumps and the reactor coolant level control is implemented by feed water line valves. When feed water supply to the reactor vessel is shut off the flow is directed to a circulation line. If the cooling of the circulation line is lost, the pumps will heat up the water and the pumps may fail. An alternative way of cooling the reactor during seawater system failure is reactor vessel depressurization and low pressure core cooling.
Secondly, the diesel generators are seawater cooled. It is possible that the same external events, e.g., heavy storm, can simultaneously result in the loss of off-site power and failure of diesel generators due seawater intake blockage due to impurities.
Several safety improvements related to external events have been implemented in Olkiluoto 1 and 2 based on operating experience and the earlier version of external events PSAs, including alternative emergency
372 NEA/CSNI/R(2014)9
diesel generator combustion air intakes from inside the diesel rooms to be used in case of blockage of the normal intakes by snow, warm outlet water return line to seawater intake to prevent frazil ice formation, use of the alternative seawater intake from the outle side for two safety trains out of four in winter and installation flushable “mussel filters” in the seawater lines.
Olkiluoto 3
The operating experiences from the exiting units and insights from their external events PSA have been taken into consideration in the design of Olkiluoto 3. For example, seawater intake for service water system can be switched to the outlet channel. For prevention of frazil ice formation, dedicated anti-icing system have been designed to pump warm water to inlet channel and to heat coarse bar screens by electricity. The loss of the seawater systems for 72 hours has been included in the design basis of safety systems. The emergency diesel generators have radiator cooling and their operation is independent of seawater.
The simultaneous loss of offsite power and blockage of emergency diesel generator air intakes by snowstorm has been identified as potential risk at the Finnish NPPs. Therefore special attention has been paid on the prevention of Olkiluoto 3 diesel generator combustion and cooling air blockage by snow or ice.
External events PSA in the “stress tests” after the Fukushima Dai-ichi accident
After the Fukushima Dai-ichi additional focused safety reviews or “stress tests” were conducted on national [8] and European Union level [9, 10].
The information gathered in connection with external events PSA was used especially for topics 1 to 3 (earthquakes, flooding, extreme weather), whereas the answers to topics 4 (loss electricity and of ultimate heat sink) and 5 (severe accidents) were mainly based on the design information included in the final safety analysis reports. However, topics 1 to 3 and topic 4 are partly overlapping as external events are possible causes of loss of electricity and loss of ultimate heat sink.
The overall conclusion of the stress tests was that the Finnish NPPs are, in general, well prepared to the external events considered in the stress tests. However, some areas for additional studies and safety impvements were identified.
Some possible improvements are under consideration for Olkiluoto 1 and 2, for example:
Modification of the auxiliary feed water system so that the recycling line is replaced by a line to the water tank so that heating of the water in the case of loss of seawater cooling is much slower than in the current situation.
Additional feed water supply from the fire fighting water system with a booster pump. The system would be independent of the present electric supply systems.
The renewal of the emergency diesel generators had been started before the Fukushima accident. The new diesels will have diverse cooling with seawater and air.
The above mentioned modifications have potential to about 50 per cent reduction the current CDF of Olkiluoto 1 and 2.
The Olkiluoto 3 EPR has been originally designed to be quite resistant against earthquakes, large airplane collision, harsh weather conditions and the loss of ultimate heat sink (seawater) and the containment has been designed to withstand a core melt accident. However, the safety systems are driven by electric power
373 NEA/CSNI/R(2014)9
and a long term total station black-out would result in a core melt. The need to implement diverse cooling systems is still under consideration.
In the Loviisa NPP the possible safety improvements include better protection against exceptionally high seawater level. Some improvements to reduce the risk of seawater flooding through open service hatches of the seawater system during annual shut-down have already been implemented. Design of small cooling towers to ensure long term cooling in case of loss of seawater cooling is underway. Oil spill from a transport accident is one possible cause of loss of seawater as the ultimate heat sink. As an increasing fraction of Russian oil exports is transported from the St. Petersburg area, the risk of a major oil transport accident in the Gulf of Finland cannot be excluded although the safety of sea transports in the Baltic Sea has been improving. In the Loviisa plant the total loss of electric power and a short term total loss of seawater cooling can be managed with a diesel engine driven additional emergency feed water system.
The details of the ongoing stress test related activities can be found in the Finnish stress test report [11] and the national action plan [12] and in Ref. [13].
4 CONCLUSIONS
According to the Finnish experience, external events PSA is a useful tool in the safety management and regulatory control on nuclear power plants. It has been used to identify and prioritize possible safety improvements and to evaluate the adequacy of the design basis. It has also been used in support of licensing of new units and periodic safety reviews of operating units.
REFERENCES
[1] The Finnish nuclear legislation and the regulatory YVL Guides are available on STUK’s www pages www.stuk.fi > In English > StukLex – the legal database, and the new YVL Guide drafts will be published on www page https://ohjeisto.stuk.fi/YVL/?en=on
[2] Ari Julin, Jorma Sandberg and Reino Virolainen, Role of PRA in New NPP Projects, Workshop Proceedings on PSA for New and Advanced Reactors, OECD Conference Centre, June 20 - 24, 2011 Organized by the OECD/NEA WGRISK, NEA/CSNI/R(2012)2.
[3] Jänkälä K, Rantalainen L, Vaurio J. Severe Weather Risk Assessment for Loviisa Power Plant, Proceedings of PSAM7/ESREL2004 conference held in Berlin, Germany, June 14-18, 2004, Vol.3 (1510-1515) Springer, 2004.
[4] Sandberg J, Virolainen R. External Events Analysis for Present and Future Nuclear Power Plants – A Regulatory View, Proceedings of PSAM7/ESREL2004 conference held in Berlin, Germany, June 14-18, 2004, Vol.3 (1516-1521) Springer, 2004.
[5] Sandberg J, Julin A, Marttila J, Virolainen R. Regulatory Review of Internal and External Hazards of EPR 1600 in Finland, Proceedings of the 8th International Conference of Probabilistic Safety Assessment and Management, PSAM8, New Orleans, 14-19 May 2006.
[6] Sandberg J, Välikangas P, Hytönen Y. Seismic Risk Analysis and Design in Finland - A Regulatory View, Specialist Meeting on the Seismic Probabilistic Safety Assessment of Nuclear Facilities held on Jeju Island, Korea 6-8 November 2006, NEA/CSNI/R(2007)14, OECD, Paris.
[7] Sandberg J. Weather and Seismic Risk Analyses of the Finnish Nuclear Power Plants – Results and Lessons Learned, In: Apostolakis GE, Aldemir T (Eds.) International Topical Meeting on Safety Assessment, PSA’02, Detroit, USA, 6-9 October 2002.
374 NEA/CSNI/R(2014)9
[8] STUK press release. STUK has given the ministry a report on how nuclear power plants are prepared for exceptional natural phenomena, including link to STUK’s report: http://www.stuk.fi/stuk/tiedotteet/2011/en_GB/news_680/
[9] EU Commission stress test pages: http://ec.europa.eu/energy/nuclear/safety/stress_tests_en.htm
[10] ENSREG Stress Test pages: http://www.ensreg.eu/EU-Stress-Tests
[11] Routamo T. (ed.). European Stress Tests for Nuclear Power Plants, National Report. http://www.stuk.fi/stuk/tiedotteet/2011/en_GB/news_707/_files/86852642696986919/default/EU- StressTests-National_Report-Finland30122011.pdf
[12] STUK. European Stress Tests for Nuclear Power Plants, National Action Plan, 2012. http://www.stuk.fi/stuk/tiedotteet/fi_FI/news_810/_files/88873019816294632/default/European_Stre ss_Test_-_National_Action_Plan_-_Finland.pdf
[13] Sandberg J., Laitonen J. The Role of PSA in the Fukushima Related Safety Assessments in Finland, Proceedings of PSAM2013 conference, Tokyo, April 14-18, 2013.
375 NEA/CSNI/R(2014)9
376 NEA/CSNI/R(2014)9
CLOSING SESSION
Summary of the Opening Session
Summary of Session 1: Analysis of External Hazard Potential
Summary of session 2: Specific features of analysis and modeling of particular natural external hazards
Summary of session-3: Practices and research efforts on natural external events PSA
Summary of session 4: Modeling of NPP response to natural external events in PSA
Summary of session 5: Seismic Risk Analysis
Summary of session 6: Use of external events PSA with the focus on regulatory body role
Facilitated discussion 1 summary: Where do we stand in the analysis of external events?
Summary Facilitated Discussion 2: Findings and Good Practices for External Events Analysis
377 NEA/CSNI/R(2014)9
378 NEA/CSNI/R(2014)9
379 NEA/CSNI/R(2014)9
380 NEA/CSNI/R(2014)9
381 NEA/CSNI/R(2014)9
382 NEA/CSNI/R(2014)9
383 NEA/CSNI/R(2014)9
384 NEA/CSNI/R(2014)9
385 NEA/CSNI/R(2014)9
386 NEA/CSNI/R(2014)9
387 NEA/CSNI/R(2014)9
388 NEA/CSNI/R(2014)9
389 NEA/CSNI/R(2014)9
390 NEA/CSNI/R(2014)9
391 NEA/CSNI/R(2014)9
392 NEA/CSNI/R(2014)9
393 NEA/CSNI/R(2014)9
394 NEA/CSNI/R(2014)9
395 NEA/CSNI/R(2014)9
396 NEA/CSNI/R(2014)9
397 NEA/CSNI/R(2014)9
398 NEA/CSNI/R(2014)9
399 NEA/CSNI/R(2014)9
400 NEA/CSNI/R(2014)9
401 NEA/CSNI/R(2014)9
402 NEA/CSNI/R(2014)9
403 NEA/CSNI/R(2014)9
404